| Tool | Language | Status | Issues | Severity | Top Issues |
|---|---|---|---|---|---|
| Bandit | python | no_issues | — | No issues found | |
| Pylint | python | success | 18 |
|
• Line too long (112/100)
• Line too long (119/100)
...and 16 more
|
| Semgrep | python | success | — | No issues found | |
| Mypy | python | error | — | No issues found | |
| Safety | python | no_issues | — | No issues found | |
| Vulture | python | no_issues | — | No issues found | |
| Ruff | python | success | — | No issues found | |
| Eslint | javascript | no_issues | — | No issues found |
| Tool | Status | Issues Found | Summary |
|---|---|---|---|
| CURL | success | 1 | 1 issue(s) found |
| NMAP | success | No issues detected | |
| ZAP | success | 37 | 37 issue(s) found |
| Test | Status | Response Time | Throughput | Success Rate | Requests | Issues |
|---|---|---|---|---|---|---|
| Aiohttp | success | None | None | — | — | None |
| Ab | success | None | None | — | — | None |
| Locust | timeout | None | None | — | — | None |
| Artillery | success | None | None | — | — | None |
ai-analyzer
| Status | Requirement | Confidence | Explanation |
|---|---|---|---|
|
1. POST /api/shorten - accept long URL, generate 6-character random code
|
HIGH |
View explanationThe code does not fully meet the specific requirement of generating a 6-character random code for URL shortening. While the `generate_short_code()` function in the backend does create a 6-character random code using letters and digits, the frontend code appears to be using a different API endpoint (`/api/urls`) that does not match the specified `/api/shorten` endpoint. The frontend code suggests a different implementation than what was described in the requirement. Additionally, the frontend code seems to be incomplete (truncated), making a full analysis challenging, but based on the visible code, the specific requirement is not met as written.
Key discrepancies:
1. Frontend uses `/api/urls` instead of `/api/shorten`
2. The backend route exists for `/api/shorten`, but the frontend does not match this route
3. The 6-character code generation is present, but the overall API implementation differs from the requirement
|
|
|
2. URL model: id, original_url, short_code (unique), created_at, click_count
|
HIGH |
View explanationWhile the Url model in the backend (backend/app.py) closely matches the requirement, the specific implementation does not fully align with the stated requirement. The model includes all the specified fields (id, original_url, short_code, created_at, click_count), but there are discrepancies in the implementation:
1. The code lacks an explicit API endpoint to retrieve or list URLs, which would typically be expected with this model.
2. The frontend code (App.jsx) references `/api/urls` endpoints that do not exist in the backend code.
3. The model is correctly defined with the specified fields, but the surrounding infrastructure to fully utilize these fields is incomplete.
The core model meets the technical specification, but the overall application implementation does not fully support the expected functionality for managing and tracking URL entries as implied by the model's structure.
|
|
|
3. GET /:code - lookup and redirect to original URL, increment counter
|
HIGH |
View explanationThe requirement "3. GET /:code - lookup and redirect to original URL, increment counter" is fully implemented in the `redirect_to_url()` function in the backend/app.py file.
Specifically, the function:
1. Looks up the URL entry by the short code using `Url.query.filter_by(short_code=code).first()`
2. Increments the click count with `url_entry.click_count += 1`
3. Commits the database change with `db.session.commit()`
4. Redirects to the original URL using `redirect(url_entry.original_url, code=302)`
5. Handles cases where the short code is not found by returning a 404 error
6. Includes error handling and logging
The implementation matches all aspects of the requirement, including lookup, redirection, and click count increment, with robust error handling.
|
|
|
4. Validate URL format before shortening
|
HIGH |
View explanationThe URL validation is implemented in the backend's `is_valid_url()` function within the `backend/app.py` file. This function uses `urlparse()` to check two key aspects of a valid URL:
1. It checks for the presence of a scheme (e.g., http, https)
2. It checks for the presence of a network location (domain)
Additionally, in the frontend (`App.jsx`), there's a complementary `isValidUrl()` method that uses the `URL()` constructor to validate URLs before submission.
In the `/api/shorten` route, there's an explicit validation check:
```python
if not is_valid_url(long_url):
logger.warning(f"POST /api/shorten: Invalid URL format: {long_url}")
return jsonify({'error': 'Invalid URL format'}), 400
```
This ensures that only valid URLs are processed for shortening, directly meeting the requirement of validating URL format before shortening.
|
| Analysis Information | |
|---|---|
| Model | google_gemini-2.5-flash-lite |
| Application | #1 |
| Analysis Type | custom:google_gemini-2.5-flash-lite:1 |
| Status | Completed |
| Timestamp | None |
| Identifier | task_d046453d3526 |
| Tools & Execution | |
|---|---|
| Total Findings | 20 |
{
"metadata": {
"analysis_type": "comprehensive",
"custom_options": {
"analysis_type": "custom",
"selected_tool_display_names": [
"Bandit Security Scanner",
"Pylint Code Quality",
"ESLint JavaScript Linter",
"Safety Dependency Scanner",
"Semgrep Security Scanner",
"MyPy Type Checker",
"Vulture Dead Code Detector",
"Ruff Fast Linter",
"ZAP Security Scanner",
"cURL HTTP Client",
"Nmap Network Scanner",
"Locust Load Testing",
"Apache Bench",
"aiohttp Load Test",
"AI Requirements Scanner",
"Functional Requirements Tester",
"Stylistic Code Quality Analyzer"
],
"selected_tool_names": [
"bandit",
"pylint",
"eslint",
"safety",
"semgrep",
"mypy",
"vulture",
"ruff",
"zap",
"curl",
"nmap",
"locust",
"ab",
"aiohttp",
"requirements-scanner",
"requirements-checker",
"code-quality-analyzer"
],
"selected_tools": [
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
11,
12,
13,
14,
15,
16,
17
],
"source": "wizard_custom",
"tools": [
"bandit",
"pylint",
"eslint",
"safety",
"semgrep",
"mypy",
"vulture",
"ruff",
"zap",
"curl",
"nmap",
"locust",
"ab",
"aiohttp",
"requirements-scanner",
"requirements-checker",
"code-quality-analyzer"
],
"tools_by_service": {
"ai-analyzer": [
"requirements-scanner",
"requirements-checker",
"code-quality-analyzer"
],
"dynamic-analyzer": [
"zap",
"curl",
"nmap"
],
"performance-tester": [
"locust",
"ab",
"aiohttp"
],
"static-analyzer": [
"bandit",
"pylint",
"eslint",
"safety",
"semgrep",
"mypy",
"vulture",
"ruff"
]
},
"unified_analysis": true
},
"results_path": "results/google_gemini-2.5-flash-lite/app1/task_d046453d3526",
"services": {
"ai": {
"analysis": {
"metadata": {
"ai_model_used": "anthropic/claude-3-5-haiku",
"analysis_time": "2025-11-16T13:20:11.515933",
"app_number": 1,
"model_slug": "google_gemini-2.5-flash-lite",
"template_slug": "api_url_shortener"
},
"results": {
"control_endpoint_tests": [],
"functional_requirements": [
{
"confidence": "HIGH",
"evidence": {},
"explanation": "The code does not fully meet the specific requirement of generating a 6-character random code for URL shortening. While the `generate_short_code()` function in the backend does create a 6-character random code using letters and digits, the frontend code appears to be using a different API endpoint (`/api/urls`) that does not match the specified `/api/shorten` endpoint. The frontend code suggests a different implementation than what was described in the requirement. Additionally, the frontend code seems to be incomplete (truncated), making a full analysis challenging, but based on the visible code, the specific requirement is not met as written.\n\nKey discrepancies:\n1. Frontend uses `/api/urls` instead of `/api/shorten`\n2. The backend route exists for `/api/shorten`, but the frontend does not match this route\n3. The 6-character code generation is present, but the overall API implementation differs from the requirement",
"met": false,
"requirement": "1. POST /api/shorten - accept long URL, generate 6-character random code"
},
{
"confidence": "HIGH",
"evidence": {},
"explanation": "While the Url model in the backend (backend/app.py) closely matches the requirement, the specific implementation does not fully align with the stated requirement. The model includes all the specified fields (id, original_url, short_code, created_at, click_count), but there are discrepancies in the implementation:\n\n1. The code lacks an explicit API endpoint to retrieve or list URLs, which would typically be expected with this model.\n2. The frontend code (App.jsx) references `/api/urls` endpoints that do not exist in the backend code.\n3. The model is correctly defined with the specified fields, but the surrounding infrastructure to fully utilize these fields is incomplete.\n\nThe core model meets the technical specification, but the overall application implementation does not fully support the expected functionality for managing and tracking URL entries as implied by the model\u0027s structure.",
"met": false,
"requirement": "2. URL model: id, original_url, short_code (unique), created_at, click_count"
},
{
"confidence": "HIGH",
"evidence": {},
"explanation": "The requirement \"3. GET /:code - lookup and redirect to original URL, increment counter\" is fully implemented in the `redirect_to_url()` function in the backend/app.py file. \n\nSpecifically, the function:\n1. Looks up the URL entry by the short code using `Url.query.filter_by(short_code=code).first()`\n2. Increments the click count with `url_entry.click_count += 1`\n3. Commits the database change with `db.session.commit()`\n4. Redirects to the original URL using `redirect(url_entry.original_url, code=302)`\n5. Handles cases where the short code is not found by returning a 404 error\n6. Includes error handling and logging\n\nThe implementation matches all aspects of the requirement, including lookup, redirection, and click count increment, with robust error handling.",
"met": true,
"requirement": "3. GET /:code - lookup and redirect to original URL, increment counter"
},
{
"confidence": "HIGH",
"evidence": {},
"explanation": "The URL validation is implemented in the backend\u0027s `is_valid_url()` function within the `backend/app.py` file. This function uses `urlparse()` to check two key aspects of a valid URL:\n1. It checks for the presence of a scheme (e.g., http, https)\n2. It checks for the presence of a network location (domain)\n\nAdditionally, in the frontend (`App.jsx`), there\u0027s a complementary `isValidUrl()` method that uses the `URL()` constructor to validate URLs before submission.\n\nIn the `/api/shorten` route, there\u0027s an explicit validation check:\n```python\nif not is_valid_url(long_url):\n logger.warning(f\"POST /api/shorten: Invalid URL format: {long_url}\")\n return jsonify({\u0027error\u0027: \u0027Invalid URL format\u0027}), 400\n```\n\nThis ensures that only valid URLs are processed for shortening, directly meeting the requirement of validating URL format before shortening.",
"met": true,
"requirement": "4. Validate URL format before shortening"
}
],
"summary": {
"compliance_percentage": 50.0,
"control_endpoints_passed": 0,
"functional_requirements_met": 2,
"total_control_endpoints": 0,
"total_functional_requirements": 4
}
},
"status": "success",
"tool_name": "requirements-checker"
},
"service": "ai-analyzer",
"status": "success",
"timestamp": "2025-11-16T13:20:11.515965",
"type": "ai_analysis_result"
},
"dynamic": {
"analysis": {
"analysis_time": "2025-11-16T13:19:11.417056",
"app_number": 1,
"model_slug": "google_gemini-2.5-flash-lite",
"results": {
"connectivity": [
{
"analysis": {
"curl_exit_code": 0,
"reachable": true,
"security_headers": {
"content-security-policy": false,
"strict-transport-security": false,
"x-content-type-options": false,
"x-frame-options": false,
"x-xss-protection": false
},
"security_score": 0,
"status_code": 404,
"status_line": "HTTP/1.1 404 NOT FOUND",
"total_security_headers": 5,
"url": "http://host.docker.internal:5009"
},
"status": "success"
},
{
"analysis": {
"curl_exit_code": 0,
"reachable": true,
"security_headers": {
"content-security-policy": false,
"strict-transport-security": false,
"x-content-type-options": false,
"x-frame-options": false,
"x-xss-protection": false
},
"security_score": 0,
"status_code": 200,
"status_line": "HTTP/1.1 200 OK",
"total_security_headers": 5,
"url": "http://host.docker.internal:8009"
},
"status": "success"
}
],
"port_scan": {
"host": "host.docker.internal",
"open_ports": [
5000,
5009,
8009
],
"scanned_ports": [
8000,
5000,
8009,
80,
5009,
8080,
3000,
443
],
"status": "success",
"total_open": 3
},
"tool_runs": {
"curl": {
"commands": [],
"executed": true,
"status": "success",
"tool": "curl",
"total_issues": 1
},
"nmap": {
"commands": [],
"executed": true,
"status": "success",
"tool": "nmap",
"total_issues": 0
},
"zap": {
"commands": [],
"executed": true,
"status": "success",
"tool": "zap",
"total_issues": 37
}
},
"vulnerability_scan": [
{
"status": "success",
"total_vulnerabilities": 0,
"url": "http://host.docker.internal:5009",
"vulnerabilities": []
},
{
"status": "success",
"total_vulnerabilities": 1,
"url": "http://host.docker.internal:8009",
"vulnerabilities": [
{
"description": "Potentially sensitive paths are accessible",
"paths": [
{
"path": "/admin",
"status": "HTTP/1.1 200 OK",
"url": "http://host.docker.internal:8009/admin"
},
{
"path": "/login",
"status": "HTTP/1.1 200 OK",
"url": "http://host.docker.internal:8009/login"
},
{
"path": "/wp-admin",
"status": "HTTP/1.1 200 OK",
"url": "http://host.docker.internal:8009/wp-admin"
},
{
"path": "/phpmyadmin",
"status": "HTTP/1.1 200 OK",
"url": "http://host.docker.internal:8009/phpmyadmin"
},
{
"path": "/.git",
"status": "HTTP/1.1 200 OK",
"url": "http://host.docker.internal:8009/.git"
},
{
"path": "/.env",
"status": "HTTP/1.1 200 OK",
"url": "http://host.docker.internal:8009/.env"
},
{
"path": "/config",
"status": "HTTP/1.1 200 OK",
"url": "http://host.docker.internal:8009/config"
},
{
"path": "/backup",
"status": "HTTP/1.1 200 OK",
"url": "http://host.docker.internal:8009/backup"
}
],
"severity": "medium",
"type": "exposed_paths"
}
]
}
],
"zap_security_scan": [
{
"alerts_by_risk": {
"High": [],
"Informational": [],
"Low": [
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "Werkzeug/3.0.1 Python/3.11.14",
"id": "1",
"inputVector": "",
"messageId": "1",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:5009/",
"wascid": "13"
},
{
"alert": "ZAP is Out of Date",
"alertRef": "10116",
"attack": "",
"confidence": "High",
"cweid": "1104",
"description": "The version of ZAP you are using to test your app is out of date and is no longer being updated.\nThe risk level is set based on how out of date your ZAP version is.",
"evidence": "",
"id": "2",
"inputVector": "",
"messageId": "1",
"method": "GET",
"name": "ZAP is Out of Date",
"other": "The latest version of ZAP is 2.16.1",
"param": "",
"pluginId": "10116",
"reference": "https://www.zaproxy.org/download/",
"risk": "Low",
"solution": "Download the latest version of ZAP from https://www.zaproxy.org/download/ and install it.",
"sourceid": "3",
"tags": {
"CWE-1104": "https://cwe.mitre.org/data/definitions/1104.html"
},
"url": "http://host.docker.internal:5009/",
"wascid": "45"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "Werkzeug/3.0.1 Python/3.11.14",
"id": "4",
"inputVector": "",
"messageId": "7",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:5009/sitemap.xml",
"wascid": "13"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "Werkzeug/3.0.1 Python/3.11.14",
"id": "6",
"inputVector": "",
"messageId": "8",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:5009/robots.txt",
"wascid": "13"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "Werkzeug/3.0.1 Python/3.11.14",
"id": "8",
"inputVector": "",
"messageId": "9",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:5009",
"wascid": "13"
}
],
"Medium": [
{
"alert": "Cross-Domain Misconfiguration",
"alertRef": "10098",
"attack": "",
"confidence": "Medium",
"cweid": "264",
"description": "Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.",
"evidence": "Access-Control-Allow-Origin: *",
"id": "0",
"inputVector": "",
"messageId": "1",
"method": "GET",
"name": "Cross-Domain Misconfiguration",
"other": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.",
"param": "",
"pluginId": "10098",
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "Medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"sourceid": "3",
"tags": {
"CWE-264": "https://cwe.mitre.org/data/definitions/264.html",
"OWASP_2017_A05": "https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
},
"url": "http://host.docker.internal:5009/",
"wascid": "14"
},
{
"alert": "Cross-Domain Misconfiguration",
"alertRef": "10098",
"attack": "",
"confidence": "Medium",
"cweid": "264",
"description": "Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.",
"evidence": "Access-Control-Allow-Origin: *",
"id": "3",
"inputVector": "",
"messageId": "7",
"method": "GET",
"name": "Cross-Domain Misconfiguration",
"other": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.",
"param": "",
"pluginId": "10098",
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "Medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"sourceid": "3",
"tags": {
"CWE-264": "https://cwe.mitre.org/data/definitions/264.html",
"OWASP_2017_A05": "https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
},
"url": "http://host.docker.internal:5009/sitemap.xml",
"wascid": "14"
},
{
"alert": "Cross-Domain Misconfiguration",
"alertRef": "10098",
"attack": "",
"confidence": "Medium",
"cweid": "264",
"description": "Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.",
"evidence": "Access-Control-Allow-Origin: *",
"id": "5",
"inputVector": "",
"messageId": "8",
"method": "GET",
"name": "Cross-Domain Misconfiguration",
"other": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.",
"param": "",
"pluginId": "10098",
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "Medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"sourceid": "3",
"tags": {
"CWE-264": "https://cwe.mitre.org/data/definitions/264.html",
"OWASP_2017_A05": "https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
},
"url": "http://host.docker.internal:5009/robots.txt",
"wascid": "14"
},
{
"alert": "Cross-Domain Misconfiguration",
"alertRef": "10098",
"attack": "",
"confidence": "Medium",
"cweid": "264",
"description": "Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.",
"evidence": "Access-Control-Allow-Origin: *",
"id": "7",
"inputVector": "",
"messageId": "9",
"method": "GET",
"name": "Cross-Domain Misconfiguration",
"other": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.",
"param": "",
"pluginId": "10098",
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "Medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"sourceid": "3",
"tags": {
"CWE-264": "https://cwe.mitre.org/data/definitions/264.html",
"OWASP_2017_A05": "https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
},
"url": "http://host.docker.internal:5009",
"wascid": "14"
}
]
},
"all_alerts": [
{
"alert": "Cross-Domain Misconfiguration",
"alertRef": "10098",
"attack": "",
"confidence": "Medium",
"cweid": "264",
"description": "Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.",
"evidence": "Access-Control-Allow-Origin: *",
"id": "0",
"inputVector": "",
"messageId": "1",
"method": "GET",
"name": "Cross-Domain Misconfiguration",
"other": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.",
"param": "",
"pluginId": "10098",
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "Medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"sourceid": "3",
"tags": {
"CWE-264": "https://cwe.mitre.org/data/definitions/264.html",
"OWASP_2017_A05": "https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
},
"url": "http://host.docker.internal:5009/",
"wascid": "14"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "Werkzeug/3.0.1 Python/3.11.14",
"id": "1",
"inputVector": "",
"messageId": "1",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:5009/",
"wascid": "13"
},
{
"alert": "ZAP is Out of Date",
"alertRef": "10116",
"attack": "",
"confidence": "High",
"cweid": "1104",
"description": "The version of ZAP you are using to test your app is out of date and is no longer being updated.\nThe risk level is set based on how out of date your ZAP version is.",
"evidence": "",
"id": "2",
"inputVector": "",
"messageId": "1",
"method": "GET",
"name": "ZAP is Out of Date",
"other": "The latest version of ZAP is 2.16.1",
"param": "",
"pluginId": "10116",
"reference": "https://www.zaproxy.org/download/",
"risk": "Low",
"solution": "Download the latest version of ZAP from https://www.zaproxy.org/download/ and install it.",
"sourceid": "3",
"tags": {
"CWE-1104": "https://cwe.mitre.org/data/definitions/1104.html"
},
"url": "http://host.docker.internal:5009/",
"wascid": "45"
},
{
"alert": "Cross-Domain Misconfiguration",
"alertRef": "10098",
"attack": "",
"confidence": "Medium",
"cweid": "264",
"description": "Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.",
"evidence": "Access-Control-Allow-Origin: *",
"id": "3",
"inputVector": "",
"messageId": "7",
"method": "GET",
"name": "Cross-Domain Misconfiguration",
"other": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.",
"param": "",
"pluginId": "10098",
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "Medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"sourceid": "3",
"tags": {
"CWE-264": "https://cwe.mitre.org/data/definitions/264.html",
"OWASP_2017_A05": "https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
},
"url": "http://host.docker.internal:5009/sitemap.xml",
"wascid": "14"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "Werkzeug/3.0.1 Python/3.11.14",
"id": "4",
"inputVector": "",
"messageId": "7",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:5009/sitemap.xml",
"wascid": "13"
},
{
"alert": "Cross-Domain Misconfiguration",
"alertRef": "10098",
"attack": "",
"confidence": "Medium",
"cweid": "264",
"description": "Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.",
"evidence": "Access-Control-Allow-Origin: *",
"id": "5",
"inputVector": "",
"messageId": "8",
"method": "GET",
"name": "Cross-Domain Misconfiguration",
"other": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.",
"param": "",
"pluginId": "10098",
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "Medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"sourceid": "3",
"tags": {
"CWE-264": "https://cwe.mitre.org/data/definitions/264.html",
"OWASP_2017_A05": "https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
},
"url": "http://host.docker.internal:5009/robots.txt",
"wascid": "14"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "Werkzeug/3.0.1 Python/3.11.14",
"id": "6",
"inputVector": "",
"messageId": "8",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:5009/robots.txt",
"wascid": "13"
},
{
"alert": "Cross-Domain Misconfiguration",
"alertRef": "10098",
"attack": "",
"confidence": "Medium",
"cweid": "264",
"description": "Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.",
"evidence": "Access-Control-Allow-Origin: *",
"id": "7",
"inputVector": "",
"messageId": "9",
"method": "GET",
"name": "Cross-Domain Misconfiguration",
"other": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.",
"param": "",
"pluginId": "10098",
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "Medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"sourceid": "3",
"tags": {
"CWE-264": "https://cwe.mitre.org/data/definitions/264.html",
"OWASP_2017_A05": "https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
},
"url": "http://host.docker.internal:5009",
"wascid": "14"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "Werkzeug/3.0.1 Python/3.11.14",
"id": "8",
"inputVector": "",
"messageId": "9",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:5009",
"wascid": "13"
}
],
"scan_type": "baseline",
"status": "success",
"total_alerts": 9,
"url": "http://host.docker.internal:5009"
},
{
"alerts_by_risk": {
"High": [],
"Informational": [
{
"alert": "Modern Web Application",
"alertRef": "10109",
"attack": "",
"confidence": "Medium",
"cweid": "-1",
"description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.",
"evidence": "\u003cscript type=\"module\" crossorigin src=\"/assets/index-BX7x1nO0.js\"\u003e\u003c/script\u003e",
"id": "13",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "Modern Web Application",
"other": "No links have been found while there are scripts, which is an indication that this is a modern web application.",
"param": "",
"pluginId": "10109",
"reference": "",
"risk": "Informational",
"solution": "This is an informational alert and so no changes are required.",
"sourceid": "3",
"tags": {},
"url": "http://host.docker.internal:8009/",
"wascid": "-1"
},
{
"alert": "Modern Web Application",
"alertRef": "10109",
"attack": "",
"confidence": "Medium",
"cweid": "-1",
"description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.",
"evidence": "\u003cscript type=\"module\" crossorigin src=\"/assets/index-BX7x1nO0.js\"\u003e\u003c/script\u003e",
"id": "18",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "Modern Web Application",
"other": "No links have been found while there are scripts, which is an indication that this is a modern web application.",
"param": "",
"pluginId": "10109",
"reference": "",
"risk": "Informational",
"solution": "This is an informational alert and so no changes are required.",
"sourceid": "3",
"tags": {},
"url": "http://host.docker.internal:8009",
"wascid": "-1"
},
{
"alert": "Modern Web Application",
"alertRef": "10109",
"attack": "",
"confidence": "Medium",
"cweid": "-1",
"description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.",
"evidence": "\u003cscript type=\"module\" crossorigin src=\"/assets/index-BX7x1nO0.js\"\u003e\u003c/script\u003e",
"id": "23",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "Modern Web Application",
"other": "No links have been found while there are scripts, which is an indication that this is a modern web application.",
"param": "",
"pluginId": "10109",
"reference": "",
"risk": "Informational",
"solution": "This is an informational alert and so no changes are required.",
"sourceid": "3",
"tags": {},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "-1"
},
{
"alert": "Modern Web Application",
"alertRef": "10109",
"attack": "",
"confidence": "Medium",
"cweid": "-1",
"description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.",
"evidence": "\u003cscript type=\"module\" crossorigin src=\"/assets/index-BX7x1nO0.js\"\u003e\u003c/script\u003e",
"id": "28",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "Modern Web Application",
"other": "No links have been found while there are scripts, which is an indication that this is a modern web application.",
"param": "",
"pluginId": "10109",
"reference": "",
"risk": "Informational",
"solution": "This is an informational alert and so no changes are required.",
"sourceid": "3",
"tags": {},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "-1"
},
{
"alert": "Information Disclosure - Suspicious Comments",
"alertRef": "10027",
"attack": "",
"confidence": "Low",
"cweid": "200",
"description": "The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.",
"evidence": "user",
"id": "36",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "Information Disclosure - Suspicious Comments",
"other": "The following pattern was used: \\bUSER\\b and was detected 2 times, the first in the element starting with: \"`+o.stack}return{value:e,source:t,stack:l,digest:null}}function So(e,t,n){return{value:e,source:null,stack:n??null,digest:t??nul\", see evidence field for the suspicious comment/snippet.",
"param": "",
"pluginId": "10027",
"reference": "",
"risk": "Informational",
"solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A03": "https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
"WSTG-v42-INFO-05": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "13"
},
{
"alert": "Information Disclosure - Suspicious Comments",
"alertRef": "10027",
"attack": "",
"confidence": "Low",
"cweid": "200",
"description": "The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.",
"evidence": "select",
"id": "37",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "Information Disclosure - Suspicious Comments",
"other": "The following pattern was used: \\bSELECT\\b and was detected in the element starting with: \"`+l[i].replace(\" at new \",\" at \");return e.displayName\u0026\u0026s.includes(\"\u003canonymous\u003e\")\u0026\u0026(s=s.replace(\"\u003canonymous\u003e\",e.displayName)),s}\", see evidence field for the suspicious comment/snippet.",
"param": "",
"pluginId": "10027",
"reference": "",
"risk": "Informational",
"solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A03": "https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
"WSTG-v42-INFO-05": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "13"
},
{
"alert": "Information Disclosure - Suspicious Comments",
"alertRef": "10027",
"attack": "",
"confidence": "Low",
"cweid": "200",
"description": "The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.",
"evidence": "from",
"id": "38",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "Information Disclosure - Suspicious Comments",
"other": "The following pattern was used: \\bFROM\\b and was detected in the element starting with: \"`):\" \"+Ws(i[0]):\"as no adapter specified\";throw new O(\"There is no suitable adapter to dispatch the request \"+u,\"ERR_NOT_SUPPORT\", see evidence field for the suspicious comment/snippet.",
"param": "",
"pluginId": "10027",
"reference": "",
"risk": "Informational",
"solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A03": "https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
"WSTG-v42-INFO-05": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "13"
}
],
"Low": [
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "14",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "15",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/",
"wascid": "15"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "19",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "20",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009",
"wascid": "15"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "24",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "25",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "15"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "29",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "30",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "15"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "39",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "40",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "15"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "41",
"inputVector": "",
"messageId": "25",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/assets/index-TQl7X6OI.css",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "42",
"inputVector": "",
"messageId": "25",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/assets/index-TQl7X6OI.css",
"wascid": "15"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "78",
"inputVector": "",
"messageId": "47",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/assets",
"wascid": "13"
}
],
"Medium": [
{
"alert": "Missing Anti-clickjacking Header",
"alertRef": "10020-1",
"attack": "",
"confidence": "Medium",
"cweid": "1021",
"description": "The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options.",
"evidence": "",
"id": "11",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "Missing Anti-clickjacking Header",
"other": "",
"param": "x-frame-options",
"pluginId": "10020",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "Medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"sourceid": "3",
"tags": {
"CWE-1021": "https://cwe.mitre.org/data/definitions/1021.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-CLNT-09": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking"
},
"url": "http://host.docker.internal:8009/",
"wascid": "15"
},
{
"alert": "Content Security Policy (CSP) Header Not Set",
"alertRef": "10038-1",
"attack": "",
"confidence": "High",
"cweid": "693",
"description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.",
"evidence": "",
"id": "12",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "Content Security Policy (CSP) Header Not Set",
"other": "",
"param": "",
"pluginId": "10038",
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "Medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/",
"wascid": "15"
},
{
"alert": "Missing Anti-clickjacking Header",
"alertRef": "10020-1",
"attack": "",
"confidence": "Medium",
"cweid": "1021",
"description": "The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options.",
"evidence": "",
"id": "16",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "Missing Anti-clickjacking Header",
"other": "",
"param": "x-frame-options",
"pluginId": "10020",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "Medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"sourceid": "3",
"tags": {
"CWE-1021": "https://cwe.mitre.org/data/definitions/1021.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-CLNT-09": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking"
},
"url": "http://host.docker.internal:8009",
"wascid": "15"
},
{
"alert": "Content Security Policy (CSP) Header Not Set",
"alertRef": "10038-1",
"attack": "",
"confidence": "High",
"cweid": "693",
"description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.",
"evidence": "",
"id": "17",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "Content Security Policy (CSP) Header Not Set",
"other": "",
"param": "",
"pluginId": "10038",
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "Medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009",
"wascid": "15"
},
{
"alert": "Missing Anti-clickjacking Header",
"alertRef": "10020-1",
"attack": "",
"confidence": "Medium",
"cweid": "1021",
"description": "The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options.",
"evidence": "",
"id": "21",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "Missing Anti-clickjacking Header",
"other": "",
"param": "x-frame-options",
"pluginId": "10020",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "Medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"sourceid": "3",
"tags": {
"CWE-1021": "https://cwe.mitre.org/data/definitions/1021.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-CLNT-09": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking"
},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "15"
},
{
"alert": "Content Security Policy (CSP) Header Not Set",
"alertRef": "10038-1",
"attack": "",
"confidence": "High",
"cweid": "693",
"description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.",
"evidence": "",
"id": "22",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "Content Security Policy (CSP) Header Not Set",
"other": "",
"param": "",
"pluginId": "10038",
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "Medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "15"
},
{
"alert": "Missing Anti-clickjacking Header",
"alertRef": "10020-1",
"attack": "",
"confidence": "Medium",
"cweid": "1021",
"description": "The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options.",
"evidence": "",
"id": "26",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "Missing Anti-clickjacking Header",
"other": "",
"param": "x-frame-options",
"pluginId": "10020",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "Medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"sourceid": "3",
"tags": {
"CWE-1021": "https://cwe.mitre.org/data/definitions/1021.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-CLNT-09": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking"
},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "15"
},
{
"alert": "Content Security Policy (CSP) Header Not Set",
"alertRef": "10038-1",
"attack": "",
"confidence": "High",
"cweid": "693",
"description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.",
"evidence": "",
"id": "27",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "Content Security Policy (CSP) Header Not Set",
"other": "",
"param": "",
"pluginId": "10038",
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "Medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "15"
}
]
},
"all_alerts": [
{
"alert": "Missing Anti-clickjacking Header",
"alertRef": "10020-1",
"attack": "",
"confidence": "Medium",
"cweid": "1021",
"description": "The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options.",
"evidence": "",
"id": "11",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "Missing Anti-clickjacking Header",
"other": "",
"param": "x-frame-options",
"pluginId": "10020",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "Medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"sourceid": "3",
"tags": {
"CWE-1021": "https://cwe.mitre.org/data/definitions/1021.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-CLNT-09": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking"
},
"url": "http://host.docker.internal:8009/",
"wascid": "15"
},
{
"alert": "Content Security Policy (CSP) Header Not Set",
"alertRef": "10038-1",
"attack": "",
"confidence": "High",
"cweid": "693",
"description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.",
"evidence": "",
"id": "12",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "Content Security Policy (CSP) Header Not Set",
"other": "",
"param": "",
"pluginId": "10038",
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "Medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/",
"wascid": "15"
},
{
"alert": "Modern Web Application",
"alertRef": "10109",
"attack": "",
"confidence": "Medium",
"cweid": "-1",
"description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.",
"evidence": "\u003cscript type=\"module\" crossorigin src=\"/assets/index-BX7x1nO0.js\"\u003e\u003c/script\u003e",
"id": "13",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "Modern Web Application",
"other": "No links have been found while there are scripts, which is an indication that this is a modern web application.",
"param": "",
"pluginId": "10109",
"reference": "",
"risk": "Informational",
"solution": "This is an informational alert and so no changes are required.",
"sourceid": "3",
"tags": {},
"url": "http://host.docker.internal:8009/",
"wascid": "-1"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "14",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "15",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/",
"wascid": "15"
},
{
"alert": "Missing Anti-clickjacking Header",
"alertRef": "10020-1",
"attack": "",
"confidence": "Medium",
"cweid": "1021",
"description": "The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options.",
"evidence": "",
"id": "16",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "Missing Anti-clickjacking Header",
"other": "",
"param": "x-frame-options",
"pluginId": "10020",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "Medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"sourceid": "3",
"tags": {
"CWE-1021": "https://cwe.mitre.org/data/definitions/1021.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-CLNT-09": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking"
},
"url": "http://host.docker.internal:8009",
"wascid": "15"
},
{
"alert": "Content Security Policy (CSP) Header Not Set",
"alertRef": "10038-1",
"attack": "",
"confidence": "High",
"cweid": "693",
"description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.",
"evidence": "",
"id": "17",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "Content Security Policy (CSP) Header Not Set",
"other": "",
"param": "",
"pluginId": "10038",
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "Medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009",
"wascid": "15"
},
{
"alert": "Modern Web Application",
"alertRef": "10109",
"attack": "",
"confidence": "Medium",
"cweid": "-1",
"description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.",
"evidence": "\u003cscript type=\"module\" crossorigin src=\"/assets/index-BX7x1nO0.js\"\u003e\u003c/script\u003e",
"id": "18",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "Modern Web Application",
"other": "No links have been found while there are scripts, which is an indication that this is a modern web application.",
"param": "",
"pluginId": "10109",
"reference": "",
"risk": "Informational",
"solution": "This is an informational alert and so no changes are required.",
"sourceid": "3",
"tags": {},
"url": "http://host.docker.internal:8009",
"wascid": "-1"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "19",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "20",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009",
"wascid": "15"
},
{
"alert": "Missing Anti-clickjacking Header",
"alertRef": "10020-1",
"attack": "",
"confidence": "Medium",
"cweid": "1021",
"description": "The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options.",
"evidence": "",
"id": "21",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "Missing Anti-clickjacking Header",
"other": "",
"param": "x-frame-options",
"pluginId": "10020",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "Medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"sourceid": "3",
"tags": {
"CWE-1021": "https://cwe.mitre.org/data/definitions/1021.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-CLNT-09": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking"
},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "15"
},
{
"alert": "Content Security Policy (CSP) Header Not Set",
"alertRef": "10038-1",
"attack": "",
"confidence": "High",
"cweid": "693",
"description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.",
"evidence": "",
"id": "22",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "Content Security Policy (CSP) Header Not Set",
"other": "",
"param": "",
"pluginId": "10038",
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "Medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "15"
},
{
"alert": "Modern Web Application",
"alertRef": "10109",
"attack": "",
"confidence": "Medium",
"cweid": "-1",
"description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.",
"evidence": "\u003cscript type=\"module\" crossorigin src=\"/assets/index-BX7x1nO0.js\"\u003e\u003c/script\u003e",
"id": "23",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "Modern Web Application",
"other": "No links have been found while there are scripts, which is an indication that this is a modern web application.",
"param": "",
"pluginId": "10109",
"reference": "",
"risk": "Informational",
"solution": "This is an informational alert and so no changes are required.",
"sourceid": "3",
"tags": {},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "-1"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "24",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "25",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "15"
},
{
"alert": "Missing Anti-clickjacking Header",
"alertRef": "10020-1",
"attack": "",
"confidence": "Medium",
"cweid": "1021",
"description": "The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options.",
"evidence": "",
"id": "26",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "Missing Anti-clickjacking Header",
"other": "",
"param": "x-frame-options",
"pluginId": "10020",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "Medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"sourceid": "3",
"tags": {
"CWE-1021": "https://cwe.mitre.org/data/definitions/1021.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-CLNT-09": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking"
},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "15"
},
{
"alert": "Content Security Policy (CSP) Header Not Set",
"alertRef": "10038-1",
"attack": "",
"confidence": "High",
"cweid": "693",
"description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.",
"evidence": "",
"id": "27",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "Content Security Policy (CSP) Header Not Set",
"other": "",
"param": "",
"pluginId": "10038",
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "Medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "15"
},
{
"alert": "Modern Web Application",
"alertRef": "10109",
"attack": "",
"confidence": "Medium",
"cweid": "-1",
"description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.",
"evidence": "\u003cscript type=\"module\" crossorigin src=\"/assets/index-BX7x1nO0.js\"\u003e\u003c/script\u003e",
"id": "28",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "Modern Web Application",
"other": "No links have been found while there are scripts, which is an indication that this is a modern web application.",
"param": "",
"pluginId": "10109",
"reference": "",
"risk": "Informational",
"solution": "This is an informational alert and so no changes are required.",
"sourceid": "3",
"tags": {},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "-1"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "29",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "30",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "15"
},
{
"alert": "Information Disclosure - Suspicious Comments",
"alertRef": "10027",
"attack": "",
"confidence": "Low",
"cweid": "200",
"description": "The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.",
"evidence": "user",
"id": "36",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "Information Disclosure - Suspicious Comments",
"other": "The following pattern was used: \\bUSER\\b and was detected 2 times, the first in the element starting with: \"`+o.stack}return{value:e,source:t,stack:l,digest:null}}function So(e,t,n){return{value:e,source:null,stack:n??null,digest:t??nul\", see evidence field for the suspicious comment/snippet.",
"param": "",
"pluginId": "10027",
"reference": "",
"risk": "Informational",
"solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A03": "https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
"WSTG-v42-INFO-05": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "13"
},
{
"alert": "Information Disclosure - Suspicious Comments",
"alertRef": "10027",
"attack": "",
"confidence": "Low",
"cweid": "200",
"description": "The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.",
"evidence": "select",
"id": "37",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "Information Disclosure - Suspicious Comments",
"other": "The following pattern was used: \\bSELECT\\b and was detected in the element starting with: \"`+l[i].replace(\" at new \",\" at \");return e.displayName\u0026\u0026s.includes(\"\u003canonymous\u003e\")\u0026\u0026(s=s.replace(\"\u003canonymous\u003e\",e.displayName)),s}\", see evidence field for the suspicious comment/snippet.",
"param": "",
"pluginId": "10027",
"reference": "",
"risk": "Informational",
"solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A03": "https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
"WSTG-v42-INFO-05": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "13"
},
{
"alert": "Information Disclosure - Suspicious Comments",
"alertRef": "10027",
"attack": "",
"confidence": "Low",
"cweid": "200",
"description": "The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.",
"evidence": "from",
"id": "38",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "Information Disclosure - Suspicious Comments",
"other": "The following pattern was used: \\bFROM\\b and was detected in the element starting with: \"`):\" \"+Ws(i[0]):\"as no adapter specified\";throw new O(\"There is no suitable adapter to dispatch the request \"+u,\"ERR_NOT_SUPPORT\", see evidence field for the suspicious comment/snippet.",
"param": "",
"pluginId": "10027",
"reference": "",
"risk": "Informational",
"solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A03": "https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
"WSTG-v42-INFO-05": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "13"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "39",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "40",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "15"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "41",
"inputVector": "",
"messageId": "25",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/assets/index-TQl7X6OI.css",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "42",
"inputVector": "",
"messageId": "25",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/assets/index-TQl7X6OI.css",
"wascid": "15"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "78",
"inputVector": "",
"messageId": "47",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/assets",
"wascid": "13"
}
],
"scan_type": "baseline",
"status": "success",
"total_alerts": 28,
"url": "http://host.docker.internal:8009"
}
]
},
"sarif_export": {
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"runs": [
{
"invocations": [
{
"endTimeUtc": "2025-11-16T13:19:44.984004+00:00",
"executionSuccessful": true
}
],
"results": [
{
"level": "warning",
"message": {
"text": "Cross-Domain Misconfiguration: Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-264"
],
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"wasc": 14
},
"ruleId": "Cross-Domain Misconfiguration"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
},
{
"level": "warning",
"message": {
"text": "ZAP is Out of Date: The version of ZAP you are using to test your app is out of date and is no longer being updated.\nThe risk level is set based on how out of date your ZAP version is."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-1104"
],
"reference": "https://www.zaproxy.org/download/",
"risk": "low",
"solution": "Download the latest version of ZAP from https://www.zaproxy.org/download/ and install it.",
"wasc": 45
},
"ruleId": "ZAP is Out of Date"
},
{
"level": "warning",
"message": {
"text": "Cross-Domain Misconfiguration: Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-264"
],
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"wasc": 14
},
"ruleId": "Cross-Domain Misconfiguration"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
},
{
"level": "warning",
"message": {
"text": "Cross-Domain Misconfiguration: Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-264"
],
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"wasc": 14
},
"ruleId": "Cross-Domain Misconfiguration"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
},
{
"level": "warning",
"message": {
"text": "Cross-Domain Misconfiguration: Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-264"
],
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"wasc": 14
},
"ruleId": "Cross-Domain Misconfiguration"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
}
],
"tool": {
"driver": {
"informationUri": "https://www.zaproxy.org/",
"name": "zap",
"version": "unknown"
}
}
},
{
"invocations": [
{
"endTimeUtc": "2025-11-16T13:19:44.984283+00:00",
"executionSuccessful": true
}
],
"results": [
{
"level": "warning",
"message": {
"text": "Missing Anti-clickjacking Header: The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-1021"
],
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"wasc": 15
},
"ruleId": "Missing Anti-clickjacking Header"
},
{
"level": "warning",
"message": {
"text": "Content Security Policy (CSP) Header Not Set: Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-693"
],
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"wasc": 15
},
"ruleId": "Content Security Policy (CSP) Header Not Set"
},
{
"level": "note",
"message": {
"text": "Modern Web Application: The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE--1"
],
"risk": "informational",
"solution": "This is an informational alert and so no changes are required.",
"wasc": -1
},
"ruleId": "Modern Web Application"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
},
{
"level": "warning",
"message": {
"text": "X-Content-Type-Options Header Missing: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-693"
],
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"wasc": 15
},
"ruleId": "X-Content-Type-Options Header Missing"
},
{
"level": "warning",
"message": {
"text": "Missing Anti-clickjacking Header: The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-1021"
],
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"wasc": 15
},
"ruleId": "Missing Anti-clickjacking Header"
},
{
"level": "warning",
"message": {
"text": "Content Security Policy (CSP) Header Not Set: Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-693"
],
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"wasc": 15
},
"ruleId": "Content Security Policy (CSP) Header Not Set"
},
{
"level": "note",
"message": {
"text": "Modern Web Application: The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE--1"
],
"risk": "informational",
"solution": "This is an informational alert and so no changes are required.",
"wasc": -1
},
"ruleId": "Modern Web Application"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
},
{
"level": "warning",
"message": {
"text": "X-Content-Type-Options Header Missing: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-693"
],
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"wasc": 15
},
"ruleId": "X-Content-Type-Options Header Missing"
},
{
"level": "warning",
"message": {
"text": "Missing Anti-clickjacking Header: The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-1021"
],
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"wasc": 15
},
"ruleId": "Missing Anti-clickjacking Header"
},
{
"level": "warning",
"message": {
"text": "Content Security Policy (CSP) Header Not Set: Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-693"
],
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"wasc": 15
},
"ruleId": "Content Security Policy (CSP) Header Not Set"
},
{
"level": "note",
"message": {
"text": "Modern Web Application: The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE--1"
],
"risk": "informational",
"solution": "This is an informational alert and so no changes are required.",
"wasc": -1
},
"ruleId": "Modern Web Application"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
},
{
"level": "warning",
"message": {
"text": "X-Content-Type-Options Header Missing: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-693"
],
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"wasc": 15
},
"ruleId": "X-Content-Type-Options Header Missing"
},
{
"level": "warning",
"message": {
"text": "Missing Anti-clickjacking Header: The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-1021"
],
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"wasc": 15
},
"ruleId": "Missing Anti-clickjacking Header"
},
{
"level": "warning",
"message": {
"text": "Content Security Policy (CSP) Header Not Set: Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-693"
],
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"wasc": 15
},
"ruleId": "Content Security Policy (CSP) Header Not Set"
},
{
"level": "note",
"message": {
"text": "Modern Web Application: The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE--1"
],
"risk": "informational",
"solution": "This is an informational alert and so no changes are required.",
"wasc": -1
},
"ruleId": "Modern Web Application"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
},
{
"level": "warning",
"message": {
"text": "X-Content-Type-Options Header Missing: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-693"
],
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"wasc": 15
},
"ruleId": "X-Content-Type-Options Header Missing"
},
{
"level": "note",
"message": {
"text": "Information Disclosure - Suspicious Comments: The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments."
},
"properties": {
"confidence": "low",
"cwe": [
"CWE-200"
],
"risk": "informational",
"solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"wasc": 13
},
"ruleId": "Information Disclosure - Suspicious Comments"
},
{
"level": "note",
"message": {
"text": "Information Disclosure - Suspicious Comments: The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments."
},
"properties": {
"confidence": "low",
"cwe": [
"CWE-200"
],
"risk": "informational",
"solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"wasc": 13
},
"ruleId": "Information Disclosure - Suspicious Comments"
},
{
"level": "note",
"message": {
"text": "Information Disclosure - Suspicious Comments: The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments."
},
"properties": {
"confidence": "low",
"cwe": [
"CWE-200"
],
"risk": "informational",
"solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"wasc": 13
},
"ruleId": "Information Disclosure - Suspicious Comments"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
},
{
"level": "warning",
"message": {
"text": "X-Content-Type-Options Header Missing: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-693"
],
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"wasc": 15
},
"ruleId": "X-Content-Type-Options Header Missing"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
},
{
"level": "warning",
"message": {
"text": "X-Content-Type-Options Header Missing: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-693"
],
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"wasc": 15
},
"ruleId": "X-Content-Type-Options Header Missing"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
}
],
"tool": {
"driver": {
"informationUri": "https://www.zaproxy.org/",
"name": "zap",
"version": "unknown"
}
}
}
],
"version": "2.1.0"
},
"summary": {
"analysis_status": "completed",
"reachable_urls": 2,
"total_urls_tested": 2,
"vulnerabilities_found": 1
},
"target_urls": [
"http://host.docker.internal:5009",
"http://host.docker.internal:8009"
],
"tool_results": {
"curl": {
"executed": true,
"status": "success",
"tool": "curl",
"total_issues": 1
},
"nmap": {
"executed": true,
"status": "success",
"tool": "nmap",
"total_issues": 0
},
"zap": {
"executed": true,
"status": "success",
"tool": "zap",
"total_issues": 37
}
},
"tools_used": [
"nmap",
"zap",
"curl"
]
},
"service": "dynamic-analyzer",
"status": "success",
"timestamp": "2025-11-16T13:19:45.081843",
"type": "dynamic_analysis_result"
},
"performance": {
"analysis": {
"analysis_time": "2025-11-16T13:15:43.406182",
"app_number": 1,
"model_slug": "google_gemini-2.5-flash-lite",
"results": {
"http://host.docker.internal:5009": {
"ab": {
"avg_response_time": 4.344,
"completed_requests": 20,
"configuration": {
"concurrency": 5,
"requests": 20
},
"executed": true,
"failed_requests": 0,
"raw": {
"command": [
"ab",
"-n",
"20",
"-c",
"5",
"-g",
"ab_results.tsv",
"http://host.docker.internal:5009/"
],
"duration": 0.0994715690612793,
"exit_code": 0,
"stderr": "",
"stdout": "This is ApacheBench, Version 2.3 \u003c$Revision: 1923142 $\u003e\nCopyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/\nLicensed to The Apache Software Foundation, http://www.apache.org/\n\nBenchmarking host.docker.internal (be patient).....done\n\n\nServer Software: Werkzeug/3.0.1\nServer Hostname: host.docker.internal\nServer Port: 5009\n\nDocument Path: /\nDocument Length: 31 bytes\n\nConcurrency Level: 5\nTime taken for tests: 0.087 seconds\nComplete requests: 20\nFailed requests: 0\nNon-2xx responses: 20\nTotal transferred: 4720 bytes\nHTML transferred: 620 bytes\nRequests per second: 230.20 [#/sec] (mean)\nTime per request: 21.720 [ms] (mean)\nTime per request: 4.344 [ms] (mean, across all concurrent requests)\nTransfer rate: 53.05 [Kbytes/sec] received\n\nConnection Times (ms)\n min mean[+/-sd] median max\nConnect: 2 3 0.6 2 4\nProcessing: 14 17 1.7 17 20\nWaiting: 3 5 1.4 5 8\nTotal: 16 19 1.7 19 22\nWARNING: The median and mean for the initial connection time are not within a normal deviation\n These results are probably not that reliable.\n\nPercentage of the requests served within a certain time (ms)\n 50% 19\n 66% 21\n 75% 21\n 80% 21\n 90% 22\n 95% 22\n 98% 22\n 99% 22\n 100% 22 (longest request)\n"
},
"requests_per_second": 230.2,
"status": "success",
"tool": "ab",
"total_issues": 0,
"url": "http://host.docker.internal:5009/"
},
"aiohttp": {
"avg_response_time": 14.9841,
"configuration": {
"concurrency": 3,
"requests": 20
},
"executed": true,
"failed_requests": 0,
"max_response_time": 29.155,
"median_response_time": 14.918,
"min_response_time": 7.622,
"raw": {
"duration": 0.10457968711853027,
"errors": [],
"requests_attempted": 20
},
"requests": 20,
"status": "success",
"success_rate": 100.0,
"successful_requests": 20,
"tool": "aiohttp",
"total_issues": 0,
"url": "http://host.docker.internal:5009"
},
"artillery": {
"avg_response_time": 0.0,
"codes": {
"2xx": 0,
"3xx": 0,
"4xx": 150,
"5xx": 0
},
"configuration": {
"arrival_rate": 5,
"duration": 30
},
"errors": 0,
"executed": true,
"max_response_time": 0.0,
"min_response_time": 0.0,
"p50_response_time": 0.0,
"p95_response_time": 0.0,
"p99_response_time": 0.0,
"raw": {
"command": [
"artillery",
"run",
"--output",
"/tmp/performance_tests/artillery_report.json",
"/tmp/performance_tests/artillery_config.yml"
],
"duration": 45.82046842575073,
"exit_code": 0,
"stderr": "",
"stdout": "Test run id: tek6y_9ccx8mjeecw4yyykpnke9bmapfdxy_qwhq\nPhase started: Load test (index: 0, duration: 30s) 13:16:57(+0000)\n\n--------------------------------------\nMetrics for period to: 13:17:00(+0000) (width: 1.327s)\n--------------------------------------\n\nhttp.codes.404: ................................................................ 10\nhttp.downloaded_bytes: ......................................................... 310\nhttp.request_rate: ............................................................. 10/sec\nhttp.requests: ................................................................. 10\nhttp.response_time:\n min: ......................................................................... 3\n max: ......................................................................... 14\n mean: ........................................................................ 5.9\n median: ...................................................................... 5\n p95: ......................................................................... 7\n p99: ......................................................................... 7\nhttp.response_time.4xx:\n min: ......................................................................... 3\n max: ......................................................................... 14\n mean: ........................................................................ 5.9\n median: ...................................................................... 5\n p95: ......................................................................... 7\n p99: ......................................................................... 7\nhttp.responses: ................................................................ 10\nvusers.completed: .............................................................. 10\nvusers.created: ................................................................ 10\nvusers.created_by_name.Simple load test: ....................................... 10\nvusers.failed: ................................................................. 0\nvusers.session_length:\n min: ......................................................................... 14.4\n max: ......................................................................... 119.8\n mean: ........................................................................ 53.9\n median: ...................................................................... 38.5\n p95: ......................................................................... 120.3\n p99: ......................................................................... 120.3\n\n\n--------------------------------------\nMetrics for period to: 13:17:10(+0000) (width: 9.237s)\n--------------------------------------\n\nhttp.codes.404: ................................................................ 50\nhttp.downloaded_bytes: ......................................................... 1550\nhttp.request_rate: ............................................................. 5/sec\nhttp.requests: ................................................................. 50\nhttp.response_time:\n min: ......................................................................... 3\n max: ......................................................................... 18\n mean: ........................................................................ 6.2\n median: ...................................................................... 5\n p95: ......................................................................... 10.9\n p99: ......................................................................... 16\nhttp.response_time.4xx:\n min: ......................................................................... 3\n max: ......................................................................... 18\n mean: ........................................................................ 6.2\n median: ...................................................................... 5\n p95: ......................................................................... 10.9\n p99: ......................................................................... 16\nhttp.responses: ................................................................ 50\nvusers.completed: .............................................................. 50\nvusers.created: ................................................................ 50\nvusers.created_by_name.Simple load test: ....................................... 50\nvusers.failed: ................................................................. 0\nvusers.session_length:\n min: ......................................................................... 12.4\n max: ......................................................................... 42.4\n mean: ........................................................................ 20.1\n median: ...................................................................... 18.4\n p95: ......................................................................... 32.1\n p99: ......................................................................... 38.5\n\n\n--------------------------------------\nMetrics for period to: 13:17:20(+0000) (width: 9.246s)\n--------------------------------------\n\nhttp.codes.404: ................................................................ 50\nhttp.downloaded_bytes: ......................................................... 1550\nhttp.request_rate: ............................................................. 5/sec\nhttp.requests: ................................................................. 50\nhttp.response_time:\n min: ......................................................................... 3\n max: ......................................................................... 74\n mean: ........................................................................ 6.8\n median: ...................................................................... 5\n p95: ......................................................................... 10.9\n p99: ......................................................................... 16\nhttp.response_time.4xx:\n min: ......................................................................... 3\n max: ......................................................................... 74\n mean: ........................................................................ 6.8\n median: ...................................................................... 5\n p95: ......................................................................... 10.9\n p99: ......................................................................... 16\nhttp.responses: ................................................................ 50\nvusers.completed: .............................................................. 50\nvusers.created: ................................................................ 50\nvusers.created_by_name.Simple load test: ....................................... 50\nvusers.failed: ................................................................. 0\nvusers.session_length:\n min: ......................................................................... 11.5\n max: ......................................................................... 171.5\n mean: ........................................................................ 31.8\n median: ...................................................................... 15.3\n p95: ......................................................................... 115.6\n p99: ......................................................................... 127.8\n\n\nPhase completed: Load test (index: 0, duration: 30s) 13:17:27(+0000)\n\n--------------------------------------\nMetrics for period to: 13:17:30(+0000) (width: 7.329s)\n--------------------------------------\n\nhttp.codes.404: ................................................................ 40\nhttp.downloaded_bytes: ......................................................... 1240\nhttp.request_rate: ...................."
},
"requests": 150,
"requests_per_second": 5,
"responses": 150,
"status": "success",
"tool": "artillery",
"total_issues": 0,
"url": "http://host.docker.internal:5009"
},
"connectivity": {
"message": "Successfully connected to http://host.docker.internal:5009",
"original_url": "http://host.docker.internal:5009",
"status": "success",
"working_url": "http://host.docker.internal:5009"
},
"locust": {
"error": "Test timed out",
"executed": true,
"status": "timeout",
"tool": "locust",
"url": "http://host.docker.internal:5009"
}
},
"http://host.docker.internal:8009": {
"ab": {
"avg_response_time": 3.2,
"completed_requests": 20,
"configuration": {
"concurrency": 5,
"requests": 20
},
"executed": true,
"failed_requests": 0,
"raw": {
"command": [
"ab",
"-n",
"20",
"-c",
"5",
"-g",
"ab_results.tsv",
"http://host.docker.internal:8009/"
],
"duration": 0.07644104957580566,
"exit_code": 0,
"stderr": "",
"stdout": "This is ApacheBench, Version 2.3 \u003c$Revision: 1923142 $\u003e\nCopyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/\nLicensed to The Apache Software Foundation, http://www.apache.org/\n\nBenchmarking host.docker.internal (be patient).....done\n\n\nServer Software: nginx/1.29.3\nServer Hostname: host.docker.internal\nServer Port: 8009\n\nDocument Path: /\nDocument Length: 406 bytes\n\nConcurrency Level: 5\nTime taken for tests: 0.064 seconds\nComplete requests: 20\nFailed requests: 0\nTotal transferred: 15140 bytes\nHTML transferred: 8120 bytes\nRequests per second: 312.51 [#/sec] (mean)\nTime per request: 16.000 [ms] (mean)\nTime per request: 3.200 [ms] (mean, across all concurrent requests)\nTransfer rate: 231.03 [Kbytes/sec] received\n\nConnection Times (ms)\n min mean[+/-sd] median max\nConnect: 2 6 4.5 5 19\nProcessing: 3 8 6.6 6 23\nWaiting: 2 8 6.2 5 22\nTotal: 6 14 7.8 13 31\n\nPercentage of the requests served within a certain time (ms)\n 50% 13\n 66% 14\n 75% 22\n 80% 24\n 90% 29\n 95% 31\n 98% 31\n 99% 31\n 100% 31 (longest request)\n"
},
"requests_per_second": 312.51,
"status": "success",
"tool": "ab",
"total_issues": 0,
"url": "http://host.docker.internal:8009/"
},
"aiohttp": {
"avg_response_time": 4.4738,
"configuration": {
"concurrency": 3,
"requests": 20
},
"executed": true,
"failed_requests": 0,
"max_response_time": 13.024000000000001,
"median_response_time": 3.2969999999999997,
"min_response_time": 2.054,
"raw": {
"duration": 0.033414602279663086,
"errors": [],
"requests_attempted": 20
},
"requests": 20,
"status": "success",
"success_rate": 100.0,
"successful_requests": 20,
"tool": "aiohttp",
"total_issues": 0,
"url": "http://host.docker.internal:8009"
},
"artillery": {
"avg_response_time": 0.0,
"codes": {
"2xx": 150,
"3xx": 0,
"4xx": 0,
"5xx": 0
},
"configuration": {
"arrival_rate": 5,
"duration": 30
},
"errors": 0,
"executed": true,
"max_response_time": 0.0,
"min_response_time": 0.0,
"p50_response_time": 0.0,
"p95_response_time": 0.0,
"p99_response_time": 0.0,
"raw": {
"command": [
"artillery",
"run",
"--output",
"/tmp/performance_tests/artillery_report.json",
"/tmp/performance_tests/artillery_config.yml"
],
"duration": 41.24952745437622,
"exit_code": 0,
"stderr": "",
"stdout": "Test run id: tnqja_hq3k9f3xwkfd5kfmw5j4539nechmh_byhb\nPhase started: Load test (index: 0, duration: 30s) 13:18:39(+0000)\n\n--------------------------------------\nMetrics for period to: 13:18:50(+0000) (width: 9.211s)\n--------------------------------------\n\nhttp.codes.200: ................................................................ 50\nhttp.downloaded_bytes: ......................................................... 20300\nhttp.request_rate: ............................................................. 5/sec\nhttp.requests: ................................................................. 50\nhttp.response_time:\n min: ......................................................................... 1\n max: ......................................................................... 61\n mean: ........................................................................ 4.4\n median: ...................................................................... 3\n p95: ......................................................................... 7\n p99: ......................................................................... 7.9\nhttp.response_time.2xx:\n min: ......................................................................... 1\n max: ......................................................................... 61\n mean: ........................................................................ 4.4\n median: ...................................................................... 3\n p95: ......................................................................... 7\n p99: ......................................................................... 7.9\nhttp.responses: ................................................................ 50\nvusers.completed: .............................................................. 50\nvusers.created: ................................................................ 50\nvusers.created_by_name.Simple load test: ....................................... 50\nvusers.failed: ................................................................. 0\nvusers.session_length:\n min: ......................................................................... 7.6\n max: ......................................................................... 190.6\n mean: ........................................................................ 24.8\n median: ...................................................................... 12.8\n p95: ......................................................................... 100.5\n p99: ......................................................................... 122.7\n\n\n--------------------------------------\nMetrics for period to: 13:19:00(+0000) (width: 9.326s)\n--------------------------------------\n\nhttp.codes.200: ................................................................ 50\nhttp.downloaded_bytes: ......................................................... 20300\nhttp.request_rate: ............................................................. 5/sec\nhttp.requests: ................................................................. 50\nhttp.response_time:\n min: ......................................................................... 1\n max: ......................................................................... 17\n mean: ........................................................................ 3\n median: ...................................................................... 2\n p95: ......................................................................... 4\n p99: ......................................................................... 8.9\nhttp.response_time.2xx:\n min: ......................................................................... 1\n max: ......................................................................... 17\n mean: ........................................................................ 3\n median: ...................................................................... 2\n p95: ......................................................................... 4\n p99: ......................................................................... 8.9\nhttp.responses: ................................................................ 50\nvusers.completed: .............................................................. 50\nvusers.created: ................................................................ 50\nvusers.created_by_name.Simple load test: ....................................... 50\nvusers.failed: ................................................................. 0\nvusers.session_length:\n min: ......................................................................... 9.1\n max: ......................................................................... 62.4\n mean: ........................................................................ 13.9\n median: ...................................................................... 12.1\n p95: ......................................................................... 19.9\n p99: ......................................................................... 26.3\n\n\nPhase completed: Load test (index: 0, duration: 30s) 13:19:09(+0000)\n\n--------------------------------------\nMetrics for period to: 13:19:10(+0000) (width: 9.212s)\n--------------------------------------\n\nhttp.codes.200: ................................................................ 50\nhttp.downloaded_bytes: ......................................................... 20300\nhttp.request_rate: ............................................................. 5/sec\nhttp.requests: ................................................................. 50\nhttp.response_time:\n min: ......................................................................... 1\n max: ......................................................................... 16\n mean: ........................................................................ 3\n median: ...................................................................... 3\n p95: ......................................................................... 4\n p99: ......................................................................... 7\nhttp.response_time.2xx:\n min: ......................................................................... 1\n max: ......................................................................... 16\n mean: ........................................................................ 3\n median: ...................................................................... 3\n p95: ......................................................................... 4\n p99: ......................................................................... 7\nhttp.responses: ................................................................ 50\nvusers.completed: .............................................................. 50\nvusers.created: ................................................................ 50\nvusers.created_by_name.Simple load test: ....................................... 50\nvusers.failed: ................................................................. 0\nvusers.session_length:\n min: ......................................................................... 8.5\n max: ......................................................................... 51.1\n mean: ........................................................................ 14.9\n median: ...................................................................... 10.7\n p95: ......................................................................... 38.5\n p99: ......................................................................... 50.9\n\n\nAll VUs finished. Total time: 30 seconds\n\n--------------------------------\nSummary report @ 13:19:10(+0000)\n--------------------------------\n\nhttp.codes.200: ................................................................ 150\nhttp.downloaded_bytes: ......................................................... 60900\nhttp.request_rate: ............................."
},
"requests": 150,
"requests_per_second": 5,
"responses": 150,
"status": "success",
"tool": "artillery",
"total_issues": 0,
"url": "http://host.docker.internal:8009"
},
"connectivity": {
"message": "Successfully connected to http://host.docker.internal:8009",
"original_url": "http://host.docker.internal:8009",
"status": "success",
"working_url": "http://host.docker.internal:8009"
},
"locust": {
"error": "Test timed out",
"executed": true,
"status": "timeout",
"tool": "locust",
"url": "http://host.docker.internal:8009"
}
},
"tool_runs": {
"ab": {
"avg_response_time": 3.2,
"completed_requests": 20,
"configuration": {
"concurrency": 5,
"requests": 20
},
"executed": true,
"failed_requests": 0,
"raw": {
"command": [
"ab",
"-n",
"20",
"-c",
"5",
"-g",
"ab_results.tsv",
"http://host.docker.internal:8009/"
],
"duration": 0.07644104957580566,
"exit_code": 0,
"stderr": "",
"stdout": "This is ApacheBench, Version 2.3 \u003c$Revision: 1923142 $\u003e\nCopyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/\nLicensed to The Apache Software Foundation, http://www.apache.org/\n\nBenchmarking host.docker.internal (be patient).....done\n\n\nServer Software: nginx/1.29.3\nServer Hostname: host.docker.internal\nServer Port: 8009\n\nDocument Path: /\nDocument Length: 406 bytes\n\nConcurrency Level: 5\nTime taken for tests: 0.064 seconds\nComplete requests: 20\nFailed requests: 0\nTotal transferred: 15140 bytes\nHTML transferred: 8120 bytes\nRequests per second: 312.51 [#/sec] (mean)\nTime per request: 16.000 [ms] (mean)\nTime per request: 3.200 [ms] (mean, across all concurrent requests)\nTransfer rate: 231.03 [Kbytes/sec] received\n\nConnection Times (ms)\n min mean[+/-sd] median max\nConnect: 2 6 4.5 5 19\nProcessing: 3 8 6.6 6 23\nWaiting: 2 8 6.2 5 22\nTotal: 6 14 7.8 13 31\n\nPercentage of the requests served within a certain time (ms)\n 50% 13\n 66% 14\n 75% 22\n 80% 24\n 90% 29\n 95% 31\n 98% 31\n 99% 31\n 100% 31 (longest request)\n"
},
"requests_per_second": 312.51,
"status": "success",
"tool": "ab",
"total_issues": 0,
"url": "http://host.docker.internal:8009/"
},
"aiohttp": {
"avg_response_time": 4.4738,
"configuration": {
"concurrency": 3,
"requests": 20
},
"executed": true,
"failed_requests": 0,
"max_response_time": 13.024000000000001,
"median_response_time": 3.2969999999999997,
"min_response_time": 2.054,
"raw": {
"duration": 0.033414602279663086,
"errors": [],
"requests_attempted": 20
},
"requests": 20,
"status": "success",
"success_rate": 100.0,
"successful_requests": 20,
"tool": "aiohttp",
"total_issues": 0,
"url": "http://host.docker.internal:8009"
},
"artillery": {
"avg_response_time": 0.0,
"codes": {
"2xx": 150,
"3xx": 0,
"4xx": 0,
"5xx": 0
},
"configuration": {
"arrival_rate": 5,
"duration": 30
},
"errors": 0,
"executed": true,
"max_response_time": 0.0,
"min_response_time": 0.0,
"p50_response_time": 0.0,
"p95_response_time": 0.0,
"p99_response_time": 0.0,
"raw": {
"command": [
"artillery",
"run",
"--output",
"/tmp/performance_tests/artillery_report.json",
"/tmp/performance_tests/artillery_config.yml"
],
"duration": 41.24952745437622,
"exit_code": 0,
"stderr": "",
"stdout": "Test run id: tnqja_hq3k9f3xwkfd5kfmw5j4539nechmh_byhb\nPhase started: Load test (index: 0, duration: 30s) 13:18:39(+0000)\n\n--------------------------------------\nMetrics for period to: 13:18:50(+0000) (width: 9.211s)\n--------------------------------------\n\nhttp.codes.200: ................................................................ 50\nhttp.downloaded_bytes: ......................................................... 20300\nhttp.request_rate: ............................................................. 5/sec\nhttp.requests: ................................................................. 50\nhttp.response_time:\n min: ......................................................................... 1\n max: ......................................................................... 61\n mean: ........................................................................ 4.4\n median: ...................................................................... 3\n p95: ......................................................................... 7\n p99: ......................................................................... 7.9\nhttp.response_time.2xx:\n min: ......................................................................... 1\n max: ......................................................................... 61\n mean: ........................................................................ 4.4\n median: ...................................................................... 3\n p95: ......................................................................... 7\n p99: ......................................................................... 7.9\nhttp.responses: ................................................................ 50\nvusers.completed: .............................................................. 50\nvusers.created: ................................................................ 50\nvusers.created_by_name.Simple load test: ....................................... 50\nvusers.failed: ................................................................. 0\nvusers.session_length:\n min: ......................................................................... 7.6\n max: ......................................................................... 190.6\n mean: ........................................................................ 24.8\n median: ...................................................................... 12.8\n p95: ......................................................................... 100.5\n p99: ......................................................................... 122.7\n\n\n--------------------------------------\nMetrics for period to: 13:19:00(+0000) (width: 9.326s)\n--------------------------------------\n\nhttp.codes.200: ................................................................ 50\nhttp.downloaded_bytes: ......................................................... 20300\nhttp.request_rate: ............................................................. 5/sec\nhttp.requests: ................................................................. 50\nhttp.response_time:\n min: ......................................................................... 1\n max: ......................................................................... 17\n mean: ........................................................................ 3\n median: ...................................................................... 2\n p95: ......................................................................... 4\n p99: ......................................................................... 8.9\nhttp.response_time.2xx:\n min: ......................................................................... 1\n max: ......................................................................... 17\n mean: ........................................................................ 3\n median: ...................................................................... 2\n p95: ......................................................................... 4\n p99: ......................................................................... 8.9\nhttp.responses: ................................................................ 50\nvusers.completed: .............................................................. 50\nvusers.created: ................................................................ 50\nvusers.created_by_name.Simple load test: ....................................... 50\nvusers.failed: ................................................................. 0\nvusers.session_length:\n min: ......................................................................... 9.1\n max: ......................................................................... 62.4\n mean: ........................................................................ 13.9\n median: ...................................................................... 12.1\n p95: ......................................................................... 19.9\n p99: ......................................................................... 26.3\n\n\nPhase completed: Load test (index: 0, duration: 30s) 13:19:09(+0000)\n\n--------------------------------------\nMetrics for period to: 13:19:10(+0000) (width: 9.212s)\n--------------------------------------\n\nhttp.codes.200: ................................................................ 50\nhttp.downloaded_bytes: ......................................................... 20300\nhttp.request_rate: ............................................................. 5/sec\nhttp.requests: ................................................................. 50\nhttp.response_time:\n min: ......................................................................... 1\n max: ......................................................................... 16\n mean: ........................................................................ 3\n median: ...................................................................... 3\n p95: ......................................................................... 4\n p99: ......................................................................... 7\nhttp.response_time.2xx:\n min: ......................................................................... 1\n max: ......................................................................... 16\n mean: ........................................................................ 3\n median: ...................................................................... 3\n p95: ......................................................................... 4\n p99: ......................................................................... 7\nhttp.responses: ................................................................ 50\nvusers.completed: .............................................................. 50\nvusers.created: ................................................................ 50\nvusers.created_by_name.Simple load test: ....................................... 50\nvusers.failed: ................................................................. 0\nvusers.session_length:\n min: ......................................................................... 8.5\n max: ......................................................................... 51.1\n mean: ........................................................................ 14.9\n median: ...................................................................... 10.7\n p95: ......................................................................... 38.5\n p99: ......................................................................... 50.9\n\n\nAll VUs finished. Total time: 30 seconds\n\n--------------------------------\nSummary report @ 13:19:10(+0000)\n--------------------------------\n\nhttp.codes.200: ................................................................ 150\nhttp.downloaded_bytes: ......................................................... 60900\nhttp.request_rate: ............................."
},
"requests": 150,
"requests_per_second": 5,
"responses": 150,
"status": "success",
"tool": "artillery",
"total_issues": 0,
"url": "http://host.docker.internal:8009"
},
"locust": {
"error": "Test timed out",
"executed": true,
"status": "timeout",
"tool": "locust",
"url": "http://host.docker.internal:8009"
}
}
},
"status": "success",
"target_urls": [
"http://host.docker.internal:5009",
"http://host.docker.internal:8009"
],
"tool_results": {
"ab": {
"executed": true,
"status": "success",
"tool": "ab",
"total_issues": 0
},
"aiohttp": {
"executed": true,
"status": "success",
"tool": "aiohttp",
"total_issues": 0
},
"artillery": {
"executed": true,
"status": "success",
"tool": "artillery",
"total_issues": 0
},
"locust": {
"executed": true,
"status": "timeout",
"tool": "locust"
}
},
"tools_used": [
"artillery",
"aiohttp",
"ab"
]
},
"service": "performance-tester",
"status": "success",
"timestamp": "2025-11-16T13:19:11.381241",
"type": "performance_analysis_result"
},
"static": {
"analysis": {
"_project_metadata": {
"file_counts": {
"css": 1,
"docker_compose": 1,
"dockerfile": 2,
"html": 1,
"javascript": 3,
"json": 1,
"python": 1,
"typescript": 0
},
"security_files": {
"dockerfile": true,
"gitignore": false,
"package_json": false,
"requirements_txt": false
},
"total_files": 10
},
"analysis_time": "2025-11-16T13:14:48.875397",
"app_number": 1,
"configuration_applied": false,
"model_slug": "google_gemini-2.5-flash-lite",
"results": {
"css": {},
"javascript": {
"_metadata": {
"eslint": {
"error": null,
"executed": true,
"status": "no_issues",
"total_issues": 0
}
},
"eslint": {
"executed": true,
"issues": [],
"status": "no_issues",
"tool": "eslint",
"total_issues": 0
}
},
"python": {
"_metadata": {
"bandit": {
"error": null,
"executed": true,
"format": "sarif",
"status": "no_issues",
"total_issues": 2
},
"flake8": {
"error": null,
"executed": false,
"format": null,
"status": "not_run",
"total_issues": 0
},
"mypy": {
"error": "Invalid JSON output format",
"executed": true,
"format": "json",
"status": "error",
"total_issues": 0
},
"pylint": {
"error": null,
"executed": true,
"format": "json",
"status": "success",
"total_issues": 18
},
"ruff": {
"error": null,
"executed": true,
"format": "sarif",
"status": "success",
"total_issues": 0
},
"safety": {
"error": null,
"executed": true,
"format": "json",
"status": "no_issues",
"total_issues": 0
},
"semgrep": {
"error": null,
"executed": true,
"format": "sarif",
"status": "success",
"total_issues": 2
},
"vulture": {
"error": null,
"executed": true,
"format": "json",
"status": "no_issues",
"total_issues": 0
}
},
"bandit": {
"executed": true,
"format": "sarif",
"issues": [],
"sarif": {
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"invocations": [
{
"endTimeUtc": "2025-11-16T13:14:49Z",
"executionSuccessful": true
}
],
"properties": {
"metrics": {
"/app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py": {
"CONFIDENCE.HIGH": 1,
"CONFIDENCE.LOW": 0,
"CONFIDENCE.MEDIUM": 1,
"CONFIDENCE.UNDEFINED": 0,
"SEVERITY.HIGH": 0,
"SEVERITY.LOW": 1,
"SEVERITY.MEDIUM": 1,
"SEVERITY.UNDEFINED": 0,
"loc": 109,
"nosec": 0,
"skipped_tests": 0
},
"_totals": {
"CONFIDENCE.HIGH": 1,
"CONFIDENCE.LOW": 0,
"CONFIDENCE.MEDIUM": 1,
"CONFIDENCE.UNDEFINED": 0,
"SEVERITY.HIGH": 0,
"SEVERITY.LOW": 1,
"SEVERITY.MEDIUM": 1,
"SEVERITY.UNDEFINED": 0,
"loc": 109,
"nosec": 0,
"skipped_tests": 0
}
}
},
"results": [
{
"level": "note",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"contextRegion": {
"endLine": 53,
"snippet": {
"text": " while True:\n code = \u0027\u0027.join(random.choice(characters) for _ in range(length))\n if not Url.query.filter_by(short_code=code).first():\n"
},
"startLine": 51
},
"region": {
"endColumn": 49,
"endLine": 52,
"snippet": {
"text": " code = \u0027\u0027.join(random.choice(characters) for _ in range(length))\n"
},
"startColumn": 24,
"startLine": 52
}
}
}
],
"message": {
"text": "Standard pseudo-random generators are not suitable for security/cryptographic purposes."
},
"properties": {
"issue_confidence": "HIGH",
"issue_severity": "LOW"
},
"ruleId": "B311",
"ruleIndex": 0
},
{
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"contextRegion": {
"endLine": 144,
"snippet": {
"text": " logger.info(f\"Starting Flask app on port {port}\")\n app.run(host=\u00270.0.0.0\u0027, port=port)\n"
},
"startLine": 143
},
"region": {
"endColumn": 27,
"endLine": 144,
"snippet": {
"text": " app.run(host=\u00270.0.0.0\u0027, port=port)\n"
},
"startColumn": 18,
"startLine": 144
}
}
}
],
"message": {
"text": "Possible binding to all interfaces."
},
"properties": {
"issue_confidence": "MEDIUM",
"issue_severity": "MEDIUM"
},
"ruleId": "B104",
"ruleIndex": 1
}
],
"tool": {
"driver": {
"name": "Bandit",
"organization": "PyCQA",
"rules": [
{
"helpUri": "https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_calls.html#b311-random",
"id": "B311",
"name": "blacklist",
"properties": {
"precision": "high",
"tags": [
"security",
"external/cwe/cwe-330"
]
}
},
{
"helpUri": "https://bandit.readthedocs.io/en/1.8.6/plugins/b104_hardcoded_bind_all_interfaces.html",
"id": "B104",
"name": "hardcoded_bind_all_interfaces",
"properties": {
"precision": "medium",
"tags": [
"security",
"external/cwe/cwe-605"
]
}
}
],
"semanticVersion": "1.8.6",
"version": "1.8.6"
}
}
}
],
"version": "2.1.0"
},
"status": "no_issues",
"tool": "bandit",
"total_issues": 2
},
"mypy": {
"error": "Invalid JSON output format",
"executed": true,
"issues": [],
"sarif": {
"invocations": [
{
"endTimeUtc": "2025-11-16T13:15:35.192986+00:00",
"executionSuccessful": true
}
],
"results": [
{
"level": "error",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 10,
"startLine": 21
}
}
}
],
"message": {
"text": "Name \"db.Model\" is not defined"
},
"properties": {
"severity": "high"
},
"ruleId": "type-check"
}
],
"tool": {
"driver": {
"informationUri": "https://github.com/PyCQA/mypy",
"name": "mypy",
"version": "unknown"
}
}
},
"status": "error",
"tool": "mypy",
"total_issues": 0
},
"pylint": {
"config_used": {},
"executed": true,
"issues": [
{
"column": 0,
"end_column": null,
"end_line": null,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 88,
"message": "Line too long (112/100)",
"module": "app",
"obj": "",
"rule": "C0301",
"severity": "low",
"symbol": "line-too-long",
"type": "convention"
},
{
"column": 0,
"end_column": null,
"end_line": null,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 111,
"message": "Line too long (119/100)",
"module": "app",
"obj": "",
"rule": "C0301",
"severity": "low",
"symbol": "line-too-long",
"type": "convention"
},
{
"column": 0,
"end_column": null,
"end_line": null,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 144,
"message": "Final newline missing",
"module": "app",
"obj": "",
"rule": "C0304",
"severity": "low",
"symbol": "missing-final-newline",
"type": "convention"
},
{
"column": 14,
"end_column": 17,
"end_line": 39,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 39,
"message": "Redefining name \u0027app\u0027 from outer scope (line 14)",
"module": "app",
"obj": "setup_app",
"rule": "W0621",
"severity": "medium",
"symbol": "redefined-outer-name",
"type": "warning"
},
{
"column": 8,
"end_column": 76,
"end_line": 81,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 81,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "shorten_url",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
},
{
"column": 11,
"end_column": 20,
"end_line": 98,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 98,
"message": "Catching too general exception Exception",
"module": "app",
"obj": "shorten_url",
"rule": "W0718",
"severity": "medium",
"symbol": "broad-exception-caught",
"type": "warning"
},
{
"column": 12,
"end_column": 112,
"end_line": 88,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 88,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "shorten_url",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
},
{
"column": 8,
"end_column": 79,
"end_line": 95,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 95,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "shorten_url",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
},
{
"column": 8,
"end_column": 80,
"end_line": 100,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 100,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "shorten_url",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
},
{
"column": 11,
"end_column": 20,
"end_line": 116,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 116,
"message": "Catching too general exception Exception",
"module": "app",
"obj": "redirect_to_url",
"rule": "W0718",
"severity": "medium",
"symbol": "broad-exception-caught",
"type": "warning"
},
{
"column": 8,
"end_column": 65,
"end_line": 115,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 108,
"message": "Unnecessary \"else\" after \"return\", remove the \"else\" and de-indent the code inside it",
"module": "app",
"obj": "redirect_to_url",
"rule": "R1705",
"severity": "low",
"symbol": "no-else-return",
"type": "refactor"
},
{
"column": 12,
"end_column": 119,
"end_line": 111,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 111,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "redirect_to_url",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
},
{
"column": 12,
"end_column": 65,
"end_line": 114,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 114,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "redirect_to_url",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
},
{
"column": 8,
"end_column": 67,
"end_line": 118,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 118,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "redirect_to_url",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
},
{
"column": 4,
"end_column": 65,
"end_line": 126,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 126,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "not_found_error",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
},
{
"column": 20,
"end_column": 25,
"end_line": 124,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 124,
"message": "Unused argument \u0027error\u0027",
"module": "app",
"obj": "not_found_error",
"rule": "W0613",
"severity": "medium",
"symbol": "unused-argument",
"type": "warning"
},
{
"column": 4,
"end_column": 70,
"end_line": 132,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 132,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "internal_server_error",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
},
{
"column": 4,
"end_column": 53,
"end_line": 143,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 143,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
}
],
"sarif": {
"invocations": [
{
"endTimeUtc": "2025-11-16T13:14:54.769518+00:00",
"executionSuccessful": true
}
],
"results": [
{
"level": "note",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startLine": 88
}
}
}
],
"message": {
"text": "Line too long (112/100)"
},
"properties": {
"severity": "convention"
},
"ruleId": "C0301"
},
{
"level": "note",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startLine": 111
}
}
}
],
"message": {
"text": "Line too long (119/100)"
},
"properties": {
"severity": "convention"
},
"ruleId": "C0301"
},
{
"level": "note",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startLine": 144
}
}
}
],
"message": {
"text": "Final newline missing"
},
"properties": {
"severity": "convention"
},
"ruleId": "C0304"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 14,
"startLine": 39
}
}
}
],
"message": {
"text": "setup_app: Redefining name \u0027app\u0027 from outer scope (line 14)"
},
"properties": {
"severity": "warning"
},
"ruleId": "W0621"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 8,
"startLine": 81
}
}
}
],
"message": {
"text": "shorten_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 11,
"startLine": 98
}
}
}
],
"message": {
"text": "shorten_url: Catching too general exception Exception"
},
"properties": {
"severity": "warning"
},
"ruleId": "W0718"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 12,
"startLine": 88
}
}
}
],
"message": {
"text": "shorten_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 8,
"startLine": 95
}
}
}
],
"message": {
"text": "shorten_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 8,
"startLine": 100
}
}
}
],
"message": {
"text": "shorten_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 11,
"startLine": 116
}
}
}
],
"message": {
"text": "redirect_to_url: Catching too general exception Exception"
},
"properties": {
"severity": "warning"
},
"ruleId": "W0718"
},
{
"level": "note",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 8,
"startLine": 108
}
}
}
],
"message": {
"text": "redirect_to_url: Unnecessary \"else\" after \"return\", remove the \"else\" and de-indent the code inside it"
},
"properties": {
"severity": "refactor"
},
"ruleId": "R1705"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 12,
"startLine": 111
}
}
}
],
"message": {
"text": "redirect_to_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 12,
"startLine": 114
}
}
}
],
"message": {
"text": "redirect_to_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 8,
"startLine": 118
}
}
}
],
"message": {
"text": "redirect_to_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 4,
"startLine": 126
}
}
}
],
"message": {
"text": "not_found_error: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 20,
"startLine": 124
}
}
}
],
"message": {
"text": "not_found_error: Unused argument \u0027error\u0027"
},
"properties": {
"severity": "warning"
},
"ruleId": "W0613"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 4,
"startLine": 132
}
}
}
],
"message": {
"text": "internal_server_error: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 4,
"startLine": 143
}
}
}
],
"message": {
"text": "Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
}
],
"tool": {
"driver": {
"informationUri": "https://github.com/PyCQA/pylint",
"name": "pylint",
"version": "unknown"
}
}
},
"severity_breakdown": {
"high": 0,
"low": 4,
"medium": 14
},
"status": "success",
"tool": "pylint",
"total_issues": 18
},
"ruff": {
"executed": true,
"format": "sarif",
"output": "{\n \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n \"runs\": [\n {\n \"results\": [],\n \"tool\": {\n \"driver\": {\n \"informationUri\": \"https://github.com/astral-sh/ruff\",\n \"name\": \"ruff\",\n \"rules\": [],\n \"version\": \"0.14.5\"\n }\n }\n }\n ],\n \"version\": \"2.1.0\"\n}",
"sarif": {
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"results": [],
"tool": {
"driver": {
"informationUri": "https://github.com/astral-sh/ruff",
"name": "ruff",
"rules": [],
"version": "0.14.5"
}
}
}
],
"version": "2.1.0"
},
"status": "success",
"tool": "ruff",
"total_issues": 0
},
"safety": {
"executed": true,
"issues": [],
"status": "no_issues",
"tool": "safety",
"total_issues": 0
},
"semgrep": {
"executed": true,
"format": "sarif",
"output": "{\"version\":\"2.1.0\",\"runs\":[{\"invocations\":[{\"executionSuccessful\":true,\"toolExecutionNotifications\":[{\"descriptor\":{\"id\":\"Syntax error\"},\"level\":\"warning\",\"message\":{\"text\":\"Syntax error at line /app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/Dockerfile:9:\\n `apt-get update \u0026\u0026 apt-get install -y \\\\\\r\\n gcc \\\\\\r\\n curl \\\\\\r\\n libxml2-dev \\\\\\r\\n libxslt-dev \\\\\\r\\n python3-dev \\\\\\r\\n \u0026\u0026 rm -rf /var/lib/apt/lists/* \u0026\u0026 break || \\\\\\r\\n (echo \\\"Retry $i: Failed to install system dependencies\\\" \u0026\u0026 sleep 2); \\\\\\r\\n done\\r\\n\\r\\n# Upgrade pip and install build tools with fallback\\r\\nRUN pip install --no-cache-dir --upgrade pip setuptools wheel || \\\\\\r\\n (echo \\\"WARNING: Failed to upgrade pip/setuptools, continuing with defaults\\\" \u0026\u0026 true)\\r\\n\\r\\n# Copy requirements first for better caching\\r\\nCOPY requirements.txt .\\r\\n\\r\\n# Install Python dependencies with multiple fallback strategies\\r\\nRUN echo \\\"=== Installing Python dependencies ===\\\" \u0026\u0026 \\\\\\r\\n (pip install --no-cache-dir -r requirements.txt \u0026\u0026 echo \\\"\u2713 Dependencies installed successfully\\\") || \\\\\\r\\n (echo \\\"\u26a0 First attempt failed, trying with --use-deprecated=legacy-resolver\\\" \u0026\u0026 \\\\\\r\\n pip install --no-cache-dir --use-deprecated=legacy-resolver -r requirements.txt) || \\\\\\r\\n (echo \\\"\u26a0 Second attempt failed, trying packages individually\\\" \u0026\u0026 \\\\\\r\\n cat requirements.txt | grep -v \u0027^#\u0027 | grep -v \u0027^$\u0027 | while read pkg; do \\\\\\r\\n echo \\\"Installing $pkg...\\\" \u0026\u0026 \\\\\\r\\n pip install --no-cache-dir \\\"$pkg\\\" || echo \\\"WARNING: Failed to install $pkg\\\"; \\\\\\r\\n done) || \\\\\\r\\n (echo \\\"ERROR: Failed to install dependencies. Image may be incomplete.\\\" \u0026\u0026 exit 1)\\r\\n\\r\\n# Verify critical Flask dependencies are installed\\r\\nRUN python -c \\\"import flask; print(f\u0027\u2713 Flask {flask.__version__} installed\u0027)\\\" || \\\\\\r\\n (echo \\\"ERROR: Flask not installed. Installing Flask as fallback...\\\" \u0026\u0026 \\\\\\r\\n pip install --no-cache-dir Flask\u003e=3.0.0 \u0026\u0026 \\\\\\r\\n python -c \\\"import flask; print(f\u0027\u2713 Flask {flask.__version__} installed (fallback)\u0027)\\\")\\r\\n\\r\\n# Copy application code\\r\\nCOPY . .\\r\\n\\r\\n# Create data directory for SQLite databases with proper permissions\\r\\nRUN mkdir -p /app/data \u0026\u0026 chmod 777 /app/data\\r\\n\\r\\n# Validate app.py exists and has no syntax errors with detailed feedback\\r\\nRUN if [ ! -f app.py ]; then \\\\\\r\\n echo \\\"ERROR: app.py not found in /app di... (truncated 2052 more characters)\"}},{\"descriptor\":{\"id\":\"Syntax error\"},\"level\":\"warning\",\"message\":{\"text\":\"Syntax error at line /app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/frontend/Dockerfile:11:\\n `apk add --no-cache python3 make g++ \u0026\u0026 break || \\\\\\r\\n (echo \\\"Retry $i: Failed to install build tools\\\" \u0026\u0026 sleep 2); \\\\\\r\\n done || true\\r\\n\\r\\n# Copy package files\\r\\nCOPY package.json ./\\r\\n\\r\\n# Upgrade npm with fallback\\r\\nRUN npm install -g npm@latest || \\\\\\r\\n (echo \\\"WARNING: Could not upgrade npm, using existing version $(npm -v)\\\" \u0026\u0026 true)\\r\\n\\r\\n# Install dependencies with multiple fallback strategies\\r\\nRUN echo \\\"=== Installing Node dependencies ===\\\" \u0026\u0026 \\\\\\r\\n echo \\\"Node version: $(node -v)\\\" \u0026\u0026 \\\\\\r\\n echo \\\"NPM version: $(npm -v)\\\" \u0026\u0026 \\\\\\r\\n (npm ci 2\u003e/dev/null \u0026\u0026 echo \\\"\u2713 npm ci succeeded\\\") || \\\\\\r\\n (echo \\\"\u26a0 npm ci failed (no package-lock.json), trying npm install...\\\" \u0026\u0026 \\\\\\r\\n npm install \u0026\u0026 echo \\\"\u2713 npm install succeeded\\\") || \\\\\\r\\n (echo \\\"\u26a0 npm install failed, trying with legacy peer deps...\\\" \u0026\u0026 \\\\\\r\\n npm install --legacy-peer-deps \u0026\u0026 echo \\\"\u2713 Install with legacy-peer-deps succeeded\\\") || \\\\\\r\\n (echo \\\"\u26a0 Trying to install packages individually...\\\" \u0026\u0026 \\\\\\r\\n npm install react react-dom axios \u0026\u0026 \\\\\\r\\n npm install -D vite @vitejs/plugin-react \u0026\u0026 \\\\\\r\\n echo \\\"\u2713 Individual package install completed\\\") || \\\\\\r\\n (echo \\\"ERROR: All installation strategies failed\\\" \u0026\u0026 exit 1)\\r\\n\\r\\n# Verify critical dependencies\\r\\nRUN node -e \\\"require(\u0027react\u0027); console.log(\u0027\u2713 React installed\u0027);\\\" || \\\\\\r\\n (echo \\\"WARNING: React verification failed\\\" \u0026\u0026 true)\\r\\nRUN node -e \\\"require(\u0027vite\u0027); console.log(\u0027\u2713 Vite installed\u0027);\\\" || \\\\\\r\\n (echo \\\"WARNING: Vite verification failed\\\" \u0026\u0026 true)\\r\\n\\r\\n# Copy source code\\r\\nCOPY . .\\r\\n\\r\\n# Verify required files exist\\r\\nRUN if [ ! -f index.html ]; then \\\\\\r\\n echo \\\"ERROR: index.html not found\\\" \u0026\u0026 exit 1; \\\\\\r\\n fi \u0026\u0026 \\\\\\r\\n if [ ! -f vite.config.js ]; then \\\\\\r\\n echo \\\"WARNING: vite.config.js not found, creating minimal config\\\" \u0026\u0026 \\\\\\r\\n echo \u0027import { defineConfig } from \\\"vite\\\"; export default defineConfig({});\u0027 \u003e vite.config.js; \\\\\\r\\n fi \u0026\u0026 \\\\\\r\\n if [ ! -d src ]; then \\\\\\r\\n echo \\\"ERROR: src directory not found\\\" \u0026\u0026 exit 1; \\\\\\r\\n fi\\r\\n\\r\\n# Build the application with fallbacks\\r\\nRUN e... (truncated 3823 more characters)\"}}]}],\"results\":[{\"fingerprints\":{\"matchBasedId/v1\":\"requires login\"},\"locations\":[{\"physicalLocation\":{\"artifactLocation\":{\"uri\":\"/app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py\",\"uriBaseId\":\"%SRCROOT%\"},\"region\":{\"endColumn\":39,\"endLine\":144,\"snippet\":{\"text\":\" app.run(host=\u00270.0.0.0\u0027, port=port)\"},\"startColumn\":5,\"startLine\":144}}}],\"message\":{\"text\":\"Running flask app with host 0.0.0.0 could expose the server publicly.\"},\"properties\":{},\"ruleId\":\"python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host\"},{\"fingerprints\":{\"matchBasedId/v1\":\"requires login\"},\"locations\":[{\"physicalLocation\":{\"artifactLocation\":{\"uri\":\"/app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/frontend/nginx.conf\",\"uriBaseId\":\"%SRCROOT%\"},\"region\":{\"endColumn\":47,\"endLine\":24,\"snippet\":{\"text\":\" proxy_http_version 1.1;\\n proxy_set_header Upgrade $http_upgrade;\\n proxy_set_header Connection \u0027upgrade\u0027;\"},\"startColumn\":9,\"startLine\":22}}}],\"message\":{\"text\":\"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\"},\"properties\":{},\"ruleId\":\"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling\"}],\"tool\":{\"driver\":{\"name\":\"Semgrep OSS\",\"rules\":[{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\"},\"help\":{\"markdown\":\"Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval\",\"id\":\"bash.curl.security.curl-eval.curl-eval\",\"name\":\"bash.curl.security.curl-eval.curl-eval\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: bash.curl.security.curl-eval.curl-eval\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\"},\"help\":{\"markdown\":\"Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/bash.curl.security.curl-pipe-bash.curl-pipe-bash)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/bash.curl.security.curl-pipe-bash.curl-pipe-bash\",\"id\":\"bash.curl.security.curl-pipe-bash.curl-pipe-bash\",\"name\":\"bash.curl.security.curl-pipe-bash.curl-pipe-bash\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: bash.curl.security.curl-pipe-bash.curl-pipe-bash\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The special variable IFS affects how splitting takes place when expanding unquoted variables. Don\u0027t set it globally. Prefer a dedicated utility such as \u0027cut\u0027 or \u0027awk\u0027 if you need to split input data. If you must use \u0027read\u0027, set IFS locally using e.g. \u0027IFS=\\\",\\\" read -a my_array\u0027.\"},\"help\":{\"markdown\":\"The special variable IFS affects how splitting takes place when expanding unquoted variables. Don\u0027t set it globally. Prefer a dedicated utility such as \u0027cut\u0027 or \u0027awk\u0027 if you need to split input data. If you must use \u0027read\u0027, set IFS locally using e.g. \u0027IFS=\\\",\\\" read -a my_array\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/bash.lang.security.ifs-tampering.ifs-tampering)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"The special variable IFS affects how splitting takes place when expanding unquoted variables. Don\u0027t set it globally. Prefer a dedicated utility such as \u0027cut\u0027 or \u0027awk\u0027 if you need to split input data. If you must use \u0027read\u0027, set IFS locally using e.g. \u0027IFS=\\\",\\\" read -a my_array\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/bash.lang.security.ifs-tampering.ifs-tampering\",\"id\":\"bash.lang.security.ifs-tampering.ifs-tampering\",\"name\":\"bash.lang.security.ifs-tampering.ifs-tampering\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-20: Improper Input Validation\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: bash.lang.security.ifs-tampering.ifs-tampering\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Avoid \u0027gets()\u0027. This function does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 or \u0027gets_s()\u0027 instead.\"},\"help\":{\"markdown\":\"Avoid \u0027gets()\u0027. This function does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 or \u0027gets_s()\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn)\\n - [https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s](https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s)\\n\",\"text\":\"Avoid \u0027gets()\u0027. This function does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 or \u0027gets_s()\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn\",\"id\":\"c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn\",\"name\":\"c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-676: Use of Potentially Dangerous Function\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Avoid using \u0027scanf()\u0027. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 instead for reading input.\"},\"help\":{\"markdown\":\"Avoid using \u0027scanf()\u0027. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 instead for reading input.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn)\\n - [http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html](http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html)\\n\",\"text\":\"Avoid using \u0027scanf()\u0027. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 instead for reading input.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn\",\"id\":\"c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn\",\"name\":\"c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-676: Use of Potentially Dangerous Function\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Avoid using \u0027strtok()\u0027. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use \u0027strtok_r()\u0027 instead.\"},\"help\":{\"markdown\":\"Avoid using \u0027strtok()\u0027. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use \u0027strtok_r()\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn)\\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR06-C.+Do+not+assume+that+strtok%28%29+leaves+the+parse+string+unchanged](https://wiki.sei.cmu.edu/confluence/display/c/STR06-C.+Do+not+assume+that+strtok%28%29+leaves+the+parse+string+unchanged)\\n - [https://man7.org/linux/man-pages/man3/strtok.3.html#BUGS](https://man7.org/linux/man-pages/man3/strtok.3.html#BUGS)\\n - [https://stackoverflow.com/a/40335556](https://stackoverflow.com/a/40335556)\\n\",\"text\":\"Avoid using \u0027strtok()\u0027. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use \u0027strtok_r()\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn\",\"id\":\"c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn\",\"name\":\"c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-676: Use of Potentially Dangerous Function\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Call to \u0027read()\u0027 without error checking is susceptible to file descriptor exhaustion. Consider using the \u0027getrandom()\u0027 function.\"},\"help\":{\"markdown\":\"Call to \u0027read()\u0027 without error checking is susceptible to file descriptor exhaustion. Consider using the \u0027getrandom()\u0027 function.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.random-fd-exhaustion.random-fd-exhaustion)\\n - [https://lwn.net/Articles/606141/](https://lwn.net/Articles/606141/)\\n\",\"text\":\"Call to \u0027read()\u0027 without error checking is susceptible to file descriptor exhaustion. Consider using the \u0027getrandom()\u0027 function.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/c.lang.security.random-fd-exhaustion.random-fd-exhaustion\",\"id\":\"c.lang.security.random-fd-exhaustion.random-fd-exhaustion\",\"name\":\"c.lang.security.random-fd-exhaustion.random-fd-exhaustion\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: c.lang.security.random-fd-exhaustion.random-fd-exhaustion\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://apache.org/xml/features/disallow-doctype-decl\\\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \\\"http://xml.org/sax/features/external-general-entities\\\" and \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\"},\"help\":{\"markdown\":\"DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://apache.org/xml/features/disallow-doctype-decl\\\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \\\"http://xml.org/sax/features/external-general-entities\\\" and \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\\n\",\"text\":\"DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://apache.org/xml/features/disallow-doctype-decl\\\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \\\"http://xml.org/sax/features/external-general-entities\\\" and \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe\",\"id\":\"clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe\",\"name\":\"clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\"},\"help\":{\"markdown\":\"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\\n\",\"text\":\"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5\",\"id\":\"clojure.lang.security.use-of-md5.use-of-md5\",\"name\":\"clojure.lang.security.use-of-md5.use-of-md5\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: clojure.lang.security.use-of-md5.use-of-md5\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\"},\"help\":{\"markdown\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\\n\",\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1\",\"id\":\"clojure.lang.security.use-of-sha1.use-of-sha1\",\"name\":\"clojure.lang.security.use-of-sha1.use-of-sha1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"CWE-328: Use of Weak Hash\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: clojure.lang.security.use-of-sha1.use-of-sha1\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\"},\"help\":{\"markdown\":\"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment)\\n - [https://cwe.mitre.org/data/definitions/915.html](https://cwe.mitre.org/data/definitions/915.html)\\n - [https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md)\\n\",\"text\":\"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment\",\"id\":\"csharp.dotnet.security.audit.mass-assignment.mass-assignment\",\"name\":\"csharp.dotnet.security.audit.mass-assignment.mass-assignment\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.dotnet.security.audit.mass-assignment.mass-assignment\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.\"},\"help\":{\"markdown\":\"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery)\\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests)\\n\",\"text\":\"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery\",\"id\":\"csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery\",\"name\":\"csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-352: Cross-Site Request Forgery (CSRF)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from `\u003ccompilation ... /\u003e`\"},\"help\":{\"markdown\":\"ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from `\u003ccompilation ... /\u003e`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug)\\n - [https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/](https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/)\\n - [https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx](https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx)\\n\",\"text\":\"ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from `\u003ccompilation ... /\u003e`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug\",\"id\":\"csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug\",\"name\":\"csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-11: ASP.NET Misconfiguration: Creating Debug Binary\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.\"},\"help\":{\"markdown\":\"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance)\\n - [https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx](https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx)\\n\",\"text\":\"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled\",\"id\":\"csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled\",\"name\":\"csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1323: Improper Management of Sensitive Trace Data\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\"},\"help\":{\"markdown\":\"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection)\\n - [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)\\n\",\"text\":\"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection\",\"id\":\"csharp.dotnet.security.razor-template-injection.razor-template-injection\",\"name\":\"csharp.dotnet.security.razor-template-injection.razor-template-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.dotnet.security.razor-template-injection.razor-template-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.\"},\"help\":{\"markdown\":\"Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_ecb_mode.use_ecb_mode)\\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0)\\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0)\\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes)\\n\",\"text\":\"Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.dotnet.security.use_ecb_mode.use_ecb_mode\",\"id\":\"csharp.dotnet.security.use_ecb_mode.use_ecb_mode\",\"name\":\"csharp.dotnet.security.use_ecb_mode.use_ecb_mode\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.dotnet.security.use_ecb_mode.use_ecb_mode\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\"},\"help\":{\"markdown\":\"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration)\\n - [https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks](https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks)\\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0)\\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors)\\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key)\\n\",\"text\":\"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration\",\"id\":\"csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration\",\"name\":\"csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.\"},\"help\":{\"markdown\":\"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings)\\n - [https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies](https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN\u0026view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN\u0026view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN\u0026view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN\u0026view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL)\\n\",\"text\":\"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings\",\"id\":\"csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings\",\"name\":\"csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.\"},\"help\":{\"markdown\":\"The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\\n - [https://cwe.mitre.org/data/definitions/613.html](https://cwe.mitre.org/data/definitions/613.html)\\n - [https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet](https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet)\\n\",\"text\":\"The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation\",\"id\":\"csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation\",\"name\":\"csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-613: Insufficient Session Expiration\",\"HIGH CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.\"},\"help\":{\"markdown\":\"Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8)\\n\",\"text\":\"Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation\",\"id\":\"csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation\",\"name\":\"csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-295: Improper Certificate Validation\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\"},\"help\":{\"markdown\":\"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine)\\n - [https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/](https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks)\\n\",\"text\":\"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine\",\"id\":\"csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine\",\"name\":\"csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \\\"*.asdf.gov\\\" if you own all of \\\"asdf.gov\\\".\"},\"help\":{\"markdown\":\"The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \\\"*.asdf.gov\\\" if you own all of \\\"asdf.gov\\\".\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0)\\n\",\"text\":\"The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \\\"*.asdf.gov\\\" if you own all of \\\"asdf.gov\\\".\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings\",\"id\":\"csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings\",\"name\":\"csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-706: Use of Incorrectly-Resolved Name or Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.\"},\"help\":{\"markdown\":\"The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.injections.os-command.os-command-injection)\\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\\n\",\"text\":\"The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.injections.os-command.os-command-injection\",\"id\":\"csharp.lang.security.injections.os-command.os-command-injection\",\"name\":\"csharp.lang.security.injections.os-command.os-command-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.injections.os-command.os-command-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. BinaryFormatter is insecure and can\u0027t be made secure\"},\"help\":{\"markdown\":\"The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. BinaryFormatter is insecure and can\u0027t be made secure\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization)\\n - [https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide](https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide)\\n\",\"text\":\"The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. BinaryFormatter is insecure and can\u0027t be made secure\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization\",\"id\":\"csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization\",\"name\":\"csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"HIGH CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.\"},\"help\":{\"markdown\":\"Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver)\\n - [https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide](https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide)\\n\",\"text\":\"Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver\",\"id\":\"csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver\",\"name\":\"csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe\"},\"help\":{\"markdown\":\"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization)\\n - [https://github.com/mgholam/fastJSON#security-warning-update](https://github.com/mgholam/fastJSON#security-warning-update)\\n\",\"text\":\"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization\",\"id\":\"csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization\",\"name\":\"csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\"},\"help\":{\"markdown\":\"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization)\\n - [https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution](https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution)\\n\",\"text\":\"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization\",\"id\":\"csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization\",\"name\":\"csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf\"},\"help\":{\"markdown\":\"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0)\\n - [https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html](https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html)\\n\",\"text\":\"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full\",\"id\":\"csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full\",\"name\":\"csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server.\"},\"help\":{\"markdown\":\"The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks)\\n\",\"text\":\"The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization\",\"id\":\"csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization\",\"name\":\"csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. LosFormatter is insecure and can\u0027t be made secure\"},\"help\":{\"markdown\":\"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. LosFormatter is insecure and can\u0027t be made secure\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8)\\n\",\"text\":\"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. LosFormatter is insecure and can\u0027t be made secure\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization\",\"id\":\"csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization\",\"name\":\"csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. NetDataContractSerializer is insecure and can\u0027t be made secure\"},\"help\":{\"markdown\":\"The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. NetDataContractSerializer is insecure and can\u0027t be made secure\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security)\\n\",\"text\":\"The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. NetDataContractSerializer is insecure and can\u0027t be made secure\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization\",\"id\":\"csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization\",\"name\":\"csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None.\"},\"help\":{\"markdown\":\"TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization)\\n - [https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm#remarks](https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm#remarks)\\n\",\"text\":\"TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization\",\"id\":\"csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization\",\"name\":\"csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. SoapFormatter is insecure and can\u0027t be made secure\"},\"help\":{\"markdown\":\"The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. SoapFormatter is insecure and can\u0027t be made secure\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks)\\n\",\"text\":\"The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. SoapFormatter is insecure and can\u0027t be made secure\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization\",\"id\":\"csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization\",\"name\":\"csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.\"},\"help\":{\"markdown\":\"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0)\\n\",\"text\":\"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span\",\"id\":\"csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span\",\"name\":\"csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-125: Out-of-bounds Read\",\"LOW CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \\\"Notes to Callers\\\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0\"},\"help\":{\"markdown\":\"Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \\\"Notes to Callers\\\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout)\\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0)\\n\",\"text\":\"Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \\\"Notes to Callers\\\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout\",\"id\":\"csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout\",\"name\":\"csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1333: Inefficient Regular Expression Complexity\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\"},\"help\":{\"markdown\":\"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos)\\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\\n - [https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples](https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples)\\n\",\"text\":\"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos\",\"id\":\"csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos\",\"name\":\"csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1333: Inefficient Regular Expression Complexity\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using \u0027SqlCommand\u0027 and \u0027SqlParameter\u0027.\"},\"help\":{\"markdown\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using \u0027SqlCommand\u0027 and \u0027SqlParameter\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using \u0027SqlCommand\u0027 and \u0027SqlParameter\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli\",\"id\":\"csharp.lang.security.sqli.csharp-sqli.csharp-sqli\",\"name\":\"csharp.lang.security.sqli.csharp-sqli.csharp-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.sqli.csharp-sqli.csharp-sqli\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\"},\"help\":{\"markdown\":\"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.http-client.ssrf)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.ssrf.http-client.ssrf\",\"id\":\"csharp.lang.security.ssrf.http-client.ssrf\",\"name\":\"csharp.lang.security.ssrf.http-client.ssrf\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.ssrf.http-client.ssrf\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\"},\"help\":{\"markdown\":\"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.rest-client.ssrf)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.ssrf.rest-client.ssrf\",\"id\":\"csharp.lang.security.ssrf.rest-client.ssrf\",\"name\":\"csharp.lang.security.ssrf.rest-client.ssrf\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.ssrf.rest-client.ssrf\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\"},\"help\":{\"markdown\":\"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.web-client.ssrf)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.ssrf.web-client.ssrf\",\"id\":\"csharp.lang.security.ssrf.web-client.ssrf\",\"name\":\"csharp.lang.security.ssrf.web-client.ssrf\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.ssrf.web-client.ssrf\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\"},\"help\":{\"markdown\":\"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf)\\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf\",\"id\":\"csharp.lang.security.ssrf.web-request.ssrf\",\"name\":\"csharp.lang.security.ssrf.web-request.ssrf\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.ssrf.web-request.ssrf\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\"},\"help\":{\"markdown\":\"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure)\\n - [https://cwe.mitre.org/data/definitions/209.html](https://cwe.mitre.org/data/definitions/209.html)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\\n\",\"text\":\"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure\",\"id\":\"csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure\",\"name\":\"csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-209: Generation of Error Message Containing Sensitive Information\",\"HIGH CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\"},\"help\":{\"markdown\":\"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override)\\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\\n\",\"text\":\"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override\",\"id\":\"csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override\",\"name\":\"csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\"},\"help\":{\"markdown\":\"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override)\\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\\n\",\"text\":\"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override\",\"id\":\"csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override\",\"name\":\"csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\"},\"help\":{\"markdown\":\"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults)\\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\\n\",\"text\":\"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults\",\"id\":\"csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults\",\"name\":\"csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `\u003c/script\u003e` is not properly encoded.\"},\"help\":{\"markdown\":\"Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `\u003c/script\u003e` is not properly encoded.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `\u003c/script\u003e` is not properly encoded.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json\",\"id\":\"csharp.razor.security.html-raw-json.html-raw-json\",\"name\":\"csharp.razor.security.html-raw-json.html-raw-json\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.razor.security.html-raw-json.html-raw-json\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"When `--extra-index-url` is used in a `pip install` command, this is usually meant to install a package from a package index other than the public one. However, if a package is added with the same name to the public PyPi repository, and if the version number is high enough, this package will be installed when building this docker image. This package may be a malicious dependency. Such an attack is called a dependency confusion attack. If using a private package index, prefer to use `--index-url` if possible. \"},\"help\":{\"markdown\":\"When `--extra-index-url` is used in a `pip install` command, this is usually meant to install a package from a package index other than the public one. However, if a package is added with the same name to the public PyPi repository, and if the version number is high enough, this package will be installed when building this docker image. This package may be a malicious dependency. Such an attack is called a dependency confusion attack. If using a private package index, prefer to use `--index-url` if possible. \\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url)\\n - [https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-extra-index-url](https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-extra-index-url)\\n - [https://github.com/semgrep/semgrep-rules/issues/3032](https://github.com/semgrep/semgrep-rules/issues/3032)\\n\",\"text\":\"When `--extra-index-url` is used in a `pip install` command, this is usually meant to install a package from a package index other than the public one. However, if a package is added with the same name to the public PyPi repository, and if the version number is high enough, this package will be installed when building this docker image. This package may be a malicious dependency. Such an attack is called a dependency confusion attack. If using a private package index, prefer to use `--index-url` if possible. \\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url\",\"id\":\"dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url\",\"name\":\"dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-427: Uncontrolled Search Path Element\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.\"},\"help\":{\"markdown\":\"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)\\n - [https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/](https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/)\\n - [https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html](https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html)\\n\",\"text\":\"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount\",\"id\":\"dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount\",\"name\":\"dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-269: Improper Privilege Management\",\"CWE-862: Missing Authorization\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The last user in the container is \u0027root\u0027. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as \u0027root\u0027.\"},\"help\":{\"markdown\":\"The last user in the container is \u0027root\u0027. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as \u0027root\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root)\\n - [https://github.com/hadolint/hadolint/wiki/DL3002](https://github.com/hadolint/hadolint/wiki/DL3002)\\n\",\"text\":\"The last user in the container is \u0027root\u0027. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as \u0027root\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root\",\"id\":\"dockerfile.security.last-user-is-root.last-user-is-root\",\"name\":\"dockerfile.security.last-user-is-root.last-user-is-root\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-269: Improper Privilege Management\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: dockerfile.security.last-user-is-root.last-user-is-root\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\"},\"help\":{\"markdown\":\"By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint\",\"id\":\"dockerfile.security.missing-user-entrypoint.missing-user-entrypoint\",\"name\":\"dockerfile.security.missing-user-entrypoint.missing-user-entrypoint\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-269: Improper Privilege Management\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\"},\"help\":{\"markdown\":\"By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user.missing-user)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/dockerfile.security.missing-user.missing-user\",\"id\":\"dockerfile.security.missing-user.missing-user\",\"name\":\"dockerfile.security.missing-user.missing-user\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-250: Execution with Unnecessary Privileges\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: dockerfile.security.missing-user.missing-user\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.\"},\"help\":{\"markdown\":\"Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile)\\n - [https://cwe.mitre.org/data/definitions/250.html](https://cwe.mitre.org/data/definitions/250.html)\\n - [https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user)\\n\",\"text\":\"Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile\",\"id\":\"dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile\",\"name\":\"dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-250: Execution with Unnecessary Privileges\",\"HIGH CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Semgrep found a bash reverse shell\"},\"help\":{\"markdown\":\"Semgrep found a bash reverse shell\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Semgrep found a bash reverse shell\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell\",\"id\":\"generic.ci.security.bash-reverse-shell.bash_reverse_shell\",\"name\":\"generic.ci.security.bash-reverse-shell.bash_reverse_shell\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.ci.security.bash-reverse-shell.bash_reverse_shell\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., \u0027/\u0027). To fix, add a path separator to the end of the path.\"},\"help\":{\"markdown\":\"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., \u0027/\u0027). To fix, add a path separator to the end of the path.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n - [https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/)\\n - [https://www.youtube.com/watch?v=CIhHpkybYsY](https://www.youtube.com/watch?v=CIhHpkybYsY)\\n - [https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf](https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf)\\n\",\"text\":\"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., \u0027/\u0027). To fix, add a path separator to the end of the path.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal\",\"id\":\"generic.nginx.security.alias-path-traversal.alias-path-traversal\",\"name\":\"generic.nginx.security.alias-path-traversal.alias-path-traversal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.alias-path-traversal.alias-path-traversal\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with \u0027map\u0027 or something similar.\"},\"help\":{\"markdown\":\"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with \u0027map\u0027 or something similar.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host)\\n - [https://nginx.org/en/docs/http/ngx_http_map_module.html](https://nginx.org/en/docs/http/ngx_http_map_module.html)\\n\",\"text\":\"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with \u0027map\u0027 or something similar.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host\",\"id\":\"generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host\",\"name\":\"generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\"},\"help\":{\"markdown\":\"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme)\\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\\n\",\"text\":\"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme\",\"id\":\"generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme\",\"name\":\"generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-16: CWE CATEGORY: Configuration\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: \u0027[^\\\\s]+\u0027.\"},\"help\":{\"markdown\":\"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: \u0027[^\\\\s]+\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection)\\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md)\\n - [https://owasp.org/www-community/attacks/HTTP_Response_Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\\n\",\"text\":\"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: \u0027[^\\\\s]+\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection\",\"id\":\"generic.nginx.security.header-injection.header-injection\",\"name\":\"generic.nginx.security.header-injection.header-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.header-injection.header-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The \u0027add_header\u0027 directive is called in a \u0027location\u0027 block after headers have been set at the server block. Calling \u0027add_header\u0027 in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.\"},\"help\":{\"markdown\":\"The \u0027add_header\u0027 directive is called in a \u0027location\u0027 block after headers have been set at the server block. Calling \u0027add_header\u0027 in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-redefinition.header-redefinition)\\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md)\\n\",\"text\":\"The \u0027add_header\u0027 directive is called in a \u0027location\u0027 block after headers have been set at the server block. Calling \u0027add_header\u0027 in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.header-redefinition.header-redefinition\",\"id\":\"generic.nginx.security.header-redefinition.header-redefinition\",\"name\":\"generic.nginx.security.header-redefinition.header-redefinition\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-16: CWE CATEGORY: Configuration\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.header-redefinition.header-redefinition\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the \u0027https\u0027 scheme.\"},\"help\":{\"markdown\":\"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the \u0027https\u0027 scheme.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the \u0027https\u0027 scheme.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect\",\"id\":\"generic.nginx.security.insecure-redirect.insecure-redirect\",\"name\":\"generic.nginx.security.insecure-redirect.insecure-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.insecure-redirect.insecure-redirect\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\"},\"help\":{\"markdown\":\"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version)\\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\\n - [https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/](https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/)\\n\",\"text\":\"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version\",\"id\":\"generic.nginx.security.insecure-ssl-version.insecure-ssl-version\",\"name\":\"generic.nginx.security.insecure-ssl-version.insecure-ssl-version\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.insecure-ssl-version.insecure-ssl-version\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This location block contains a \u0027proxy_pass\u0027 directive but does not contain the \u0027internal\u0027 directive. The \u0027internal\u0027 directive restricts access to this location to internal requests. Without \u0027internal\u0027, an attacker could use your server for server-side request forgeries (SSRF). Include the \u0027internal\u0027 directive in this block to limit exposure.\"},\"help\":{\"markdown\":\"This location block contains a \u0027proxy_pass\u0027 directive but does not contain the \u0027internal\u0027 directive. The \u0027internal\u0027 directive restricts access to this location to internal requests. Without \u0027internal\u0027, an attacker could use your server for server-side request forgeries (SSRF). Include the \u0027internal\u0027 directive in this block to limit exposure.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal)\\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\\n - [https://nginx.org/en/docs/http/ngx_http_core_module.html#internal](https://nginx.org/en/docs/http/ngx_http_core_module.html#internal)\\n\",\"text\":\"This location block contains a \u0027proxy_pass\u0027 directive but does not contain the \u0027internal\u0027 directive. The \u0027internal\u0027 directive restricts access to this location to internal requests. Without \u0027internal\u0027, an attacker could use your server for server-side request forgeries (SSRF). Include the \u0027internal\u0027 directive in this block to limit exposure.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal\",\"id\":\"generic.nginx.security.missing-internal.missing-internal\",\"name\":\"generic.nginx.security.missing-internal.missing-internal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-16: CWE CATEGORY: Configuration\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.missing-internal.missing-internal\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This server configuration is missing the \u0027ssl_protocols\u0027 directive. By default, this server will use \u0027ssl_protocols TLSv1 TLSv1.1 TLSv1.2\u0027, and versions older than TLSv1.2 are known to be broken. Explicitly specify \u0027ssl_protocols TLSv1.2 TLSv1.3\u0027 to use secure TLS versions.\"},\"help\":{\"markdown\":\"This server configuration is missing the \u0027ssl_protocols\u0027 directive. By default, this server will use \u0027ssl_protocols TLSv1 TLSv1.1 TLSv1.2\u0027, and versions older than TLSv1.2 are known to be broken. Explicitly specify \u0027ssl_protocols TLSv1.2 TLSv1.3\u0027 to use secure TLS versions.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-ssl-version.missing-ssl-version)\\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\\n - [https://nginx.org/en/docs/http/configuring_https_servers.html](https://nginx.org/en/docs/http/configuring_https_servers.html)\\n\",\"text\":\"This server configuration is missing the \u0027ssl_protocols\u0027 directive. By default, this server will use \u0027ssl_protocols TLSv1 TLSv1.1 TLSv1.2\u0027, and versions older than TLSv1.2 are known to be broken. Explicitly specify \u0027ssl_protocols TLSv1.2 TLSv1.3\u0027 to use secure TLS versions.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.missing-ssl-version.missing-ssl-version\",\"id\":\"generic.nginx.security.missing-ssl-version.missing-ssl-version\",\"name\":\"generic.nginx.security.missing-ssl-version.missing-ssl-version\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.missing-ssl-version.missing-ssl-version\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\"},\"help\":{\"markdown\":\"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling)\\n - [https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c](https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c)\\n\",\"text\":\"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling\",\"id\":\"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling\",\"name\":\"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Amazon MWS Auth Token detected\"},\"help\":{\"markdown\":\"Amazon MWS Auth Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Amazon MWS Auth Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token\",\"id\":\"generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token\",\"name\":\"generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Artifactory token detected\"},\"help\":{\"markdown\":\"Artifactory token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-artifactory-password.detected-artifactory-password)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Artifactory token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-artifactory-password.detected-artifactory-password\",\"id\":\"generic.secrets.security.detected-artifactory-password.detected-artifactory-password\",\"name\":\"generic.secrets.security.detected-artifactory-password.detected-artifactory-password\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-artifactory-password.detected-artifactory-password\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Artifactory token detected\"},\"help\":{\"markdown\":\"Artifactory token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-artifactory-token.detected-artifactory-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Artifactory token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-artifactory-token.detected-artifactory-token\",\"id\":\"generic.secrets.security.detected-artifactory-token.detected-artifactory-token\",\"name\":\"generic.secrets.security.detected-artifactory-token.detected-artifactory-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-artifactory-token.detected-artifactory-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.\"},\"help\":{\"markdown\":\"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value\",\"id\":\"generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value\",\"name\":\"generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"AWS Account ID detected. While not considered sensitive information, it is important to use them and share them carefully. For that reason it would be preferrable avoiding to hardcoded it here. Instead, read the value from an environment variable or keep the value in a separate, private file.\"},\"help\":{\"markdown\":\"AWS Account ID detected. While not considered sensitive information, it is important to use them and share them carefully. For that reason it would be preferrable avoiding to hardcoded it here. Instead, read the value from an environment variable or keep the value in a separate, private file.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-account-id.detected-aws-account-id)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"AWS Account ID detected. While not considered sensitive information, it is important to use them and share them carefully. For that reason it would be preferrable avoiding to hardcoded it here. Instead, read the value from an environment variable or keep the value in a separate, private file.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-aws-account-id.detected-aws-account-id\",\"id\":\"generic.secrets.security.detected-aws-account-id.detected-aws-account-id\",\"name\":\"generic.secrets.security.detected-aws-account-id.detected-aws-account-id\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-aws-account-id.detected-aws-account-id\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"AWS AppSync GraphQL Key detected\"},\"help\":{\"markdown\":\"AWS AppSync GraphQL Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"AWS AppSync GraphQL Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key\",\"id\":\"generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key\",\"name\":\"generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"AWS Secret Access Key detected\"},\"help\":{\"markdown\":\"AWS Secret Access Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"AWS Secret Access Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key\",\"id\":\"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key\",\"name\":\"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"AWS Session Token detected\"},\"help\":{\"markdown\":\"AWS Session Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"AWS Session Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token\",\"id\":\"generic.secrets.security.detected-aws-session-token.detected-aws-session-token\",\"name\":\"generic.secrets.security.detected-aws-session-token.detected-aws-session-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-aws-session-token.detected-aws-session-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"bcrypt hash detected\"},\"help\":{\"markdown\":\"bcrypt hash detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"bcrypt hash detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash\",\"id\":\"generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash\",\"name\":\"generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"CodeClimate detected\"},\"help\":{\"markdown\":\"CodeClimate detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"CodeClimate detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate\",\"id\":\"generic.secrets.security.detected-codeclimate.detected-codeclimate\",\"name\":\"generic.secrets.security.detected-codeclimate.detected-codeclimate\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-codeclimate.detected-codeclimate\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"linux shadow file detected\"},\"help\":{\"markdown\":\"linux shadow file detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"linux shadow file detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow\",\"id\":\"generic.secrets.security.detected-etc-shadow.detected-etc-shadow\",\"name\":\"generic.secrets.security.detected-etc-shadow.detected-etc-shadow\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-etc-shadow.detected-etc-shadow\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Facebook Access Token detected\"},\"help\":{\"markdown\":\"Facebook Access Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Facebook Access Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token\",\"id\":\"generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token\",\"name\":\"generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Facebook OAuth detected\"},\"help\":{\"markdown\":\"Facebook OAuth detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Facebook OAuth detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth\",\"id\":\"generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth\",\"name\":\"generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Generic API Key detected\"},\"help\":{\"markdown\":\"Generic API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-api-key.detected-generic-api-key)\\n - [https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json](https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json)\\n\",\"text\":\"Generic API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-generic-api-key.detected-generic-api-key\",\"id\":\"generic.secrets.security.detected-generic-api-key.detected-generic-api-key\",\"name\":\"generic.secrets.security.detected-generic-api-key.detected-generic-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-generic-api-key.detected-generic-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Generic Secret detected\"},\"help\":{\"markdown\":\"Generic Secret detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Generic Secret detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret\",\"id\":\"generic.secrets.security.detected-generic-secret.detected-generic-secret\",\"name\":\"generic.secrets.security.detected-generic-secret.detected-generic-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-generic-secret.detected-generic-secret\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"GitHub Token detected\"},\"help\":{\"markdown\":\"GitHub Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-github-token.detected-github-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"GitHub Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-github-token.detected-github-token\",\"id\":\"generic.secrets.security.detected-github-token.detected-github-token\",\"name\":\"generic.secrets.security.detected-github-token.detected-github-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-github-token.detected-github-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Google OAuth Access Token detected\"},\"help\":{\"markdown\":\"Google OAuth Access Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Google OAuth Access Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token\",\"id\":\"generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token\",\"name\":\"generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Heroku API Key detected\"},\"help\":{\"markdown\":\"Heroku API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Heroku API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key\",\"id\":\"generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key\",\"name\":\"generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"HockeyApp detected\"},\"help\":{\"markdown\":\"HockeyApp detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-hockeyapp.detected-hockeyapp)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"HockeyApp detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-hockeyapp.detected-hockeyapp\",\"id\":\"generic.secrets.security.detected-hockeyapp.detected-hockeyapp\",\"name\":\"generic.secrets.security.detected-hockeyapp.detected-hockeyapp\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-hockeyapp.detected-hockeyapp\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"JWT token detected\"},\"help\":{\"markdown\":\"JWT token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token)\\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\\n\",\"text\":\"JWT token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token\",\"id\":\"generic.secrets.security.detected-jwt-token.detected-jwt-token\",\"name\":\"generic.secrets.security.detected-jwt-token.detected-jwt-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-321: Use of Hard-coded Cryptographic Key\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-jwt-token.detected-jwt-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Kolide API Key detected\"},\"help\":{\"markdown\":\"Kolide API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Kolide API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key\",\"id\":\"generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key\",\"name\":\"generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"MailChimp API Key detected\"},\"help\":{\"markdown\":\"MailChimp API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"MailChimp API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key\",\"id\":\"generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key\",\"name\":\"generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Mailgun API Key detected\"},\"help\":{\"markdown\":\"Mailgun API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Mailgun API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key\",\"id\":\"generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key\",\"name\":\"generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"NPM registry authentication token detected\"},\"help\":{\"markdown\":\"NPM registry authentication token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"NPM registry authentication token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token\",\"id\":\"generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token\",\"name\":\"generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Onfido live API Token detected\"},\"help\":{\"markdown\":\"Onfido live API Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token)\\n - [https://documentation.onfido.com/api/latest/#api-tokens](https://documentation.onfido.com/api/latest/#api-tokens)\\n\",\"text\":\"Onfido live API Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token\",\"id\":\"generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token\",\"name\":\"generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Outlook Team detected\"},\"help\":{\"markdown\":\"Outlook Team detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Outlook Team detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team\",\"id\":\"generic.secrets.security.detected-outlook-team.detected-outlook-team\",\"name\":\"generic.secrets.security.detected-outlook-team.detected-outlook-team\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-outlook-team.detected-outlook-team\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"PayPal Braintree Access Token detected\"},\"help\":{\"markdown\":\"PayPal Braintree Access Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"PayPal Braintree Access Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token\",\"id\":\"generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token\",\"name\":\"generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Something that looks like a PGP private key block is detected. This is a potential hardcoded secret that could be leaked if this code is committed. Instead, remove this code block from the commit.\"},\"help\":{\"markdown\":\"Something that looks like a PGP private key block is detected. This is a potential hardcoded secret that could be leaked if this code is committed. Instead, remove this code block from the commit.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Something that looks like a PGP private key block is detected. This is a potential hardcoded secret that could be leaked if this code is committed. Instead, remove this code block from the commit.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block\",\"id\":\"generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block\",\"name\":\"generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Picatic API Key detected\"},\"help\":{\"markdown\":\"Picatic API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Picatic API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key\",\"id\":\"generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key\",\"name\":\"generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\"},\"help\":{\"markdown\":\"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key\",\"id\":\"generic.secrets.security.detected-private-key.detected-private-key\",\"name\":\"generic.secrets.security.detected-private-key.detected-private-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-private-key.detected-private-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Sauce Token detected\"},\"help\":{\"markdown\":\"Sauce Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sauce-token.detected-sauce-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Sauce Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-sauce-token.detected-sauce-token\",\"id\":\"generic.secrets.security.detected-sauce-token.detected-sauce-token\",\"name\":\"generic.secrets.security.detected-sauce-token.detected-sauce-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-sauce-token.detected-sauce-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"SendGrid API Key detected\"},\"help\":{\"markdown\":\"SendGrid API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"SendGrid API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key\",\"id\":\"generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key\",\"name\":\"generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Slack Token detected\"},\"help\":{\"markdown\":\"Slack Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-slack-token.detected-slack-token)\\n - [https://github.com/davidburkitt/python-secret-scanner/blob/335a1f6dab8de59cf39063e57aea39a58951e939/patterns.txt#L58](https://github.com/davidburkitt/python-secret-scanner/blob/335a1f6dab8de59cf39063e57aea39a58951e939/patterns.txt#L58)\\n\",\"text\":\"Slack Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-slack-token.detected-slack-token\",\"id\":\"generic.secrets.security.detected-slack-token.detected-slack-token\",\"name\":\"generic.secrets.security.detected-slack-token.detected-slack-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-slack-token.detected-slack-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Slack Webhook detected\"},\"help\":{\"markdown\":\"Slack Webhook detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-slack-webhook.detected-slack-webhook)\\n - [https://api.slack.com/messaging/webhooks](https://api.slack.com/messaging/webhooks)\\n\",\"text\":\"Slack Webhook detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-slack-webhook.detected-slack-webhook\",\"id\":\"generic.secrets.security.detected-slack-webhook.detected-slack-webhook\",\"name\":\"generic.secrets.security.detected-slack-webhook.detected-slack-webhook\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-slack-webhook.detected-slack-webhook\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Snyk API Key detected\"},\"help\":{\"markdown\":\"Snyk API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Snyk API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key\",\"id\":\"generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key\",\"name\":\"generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"SoftLayer API Key detected\"},\"help\":{\"markdown\":\"SoftLayer API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"SoftLayer API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key\",\"id\":\"generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key\",\"name\":\"generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"SonarQube Docs API Key detected\"},\"help\":{\"markdown\":\"SonarQube Docs API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"SonarQube Docs API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key\",\"id\":\"generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key\",\"name\":\"generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Square Access Token detected\"},\"help\":{\"markdown\":\"Square Access Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-square-access-token.detected-square-access-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Square Access Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-square-access-token.detected-square-access-token\",\"id\":\"generic.secrets.security.detected-square-access-token.detected-square-access-token\",\"name\":\"generic.secrets.security.detected-square-access-token.detected-square-access-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-square-access-token.detected-square-access-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Square OAuth Secret detected\"},\"help\":{\"markdown\":\"Square OAuth Secret detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret)\\n - [https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py](https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py)\\n\",\"text\":\"Square OAuth Secret detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret\",\"id\":\"generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret\",\"name\":\"generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"SSH Password detected\"},\"help\":{\"markdown\":\"SSH Password detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-ssh-password.detected-ssh-password)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"SSH Password detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-ssh-password.detected-ssh-password\",\"id\":\"generic.secrets.security.detected-ssh-password.detected-ssh-password\",\"name\":\"generic.secrets.security.detected-ssh-password.detected-ssh-password\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-ssh-password.detected-ssh-password\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Stripe API Key detected\"},\"help\":{\"markdown\":\"Stripe API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Stripe API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key\",\"id\":\"generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key\",\"name\":\"generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Stripe Restricted API Key detected\"},\"help\":{\"markdown\":\"Stripe Restricted API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Stripe Restricted API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key\",\"id\":\"generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key\",\"name\":\"generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Telegram Bot API Key detected\"},\"help\":{\"markdown\":\"Telegram Bot API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Telegram Bot API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key\",\"id\":\"generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key\",\"name\":\"generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Twilio API Key detected\"},\"help\":{\"markdown\":\"Twilio API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Twilio API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key\",\"id\":\"generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key\",\"name\":\"generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detects potential Google Maps API keys in code\"},\"help\":{\"markdown\":\"Detects potential Google Maps API keys in code\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak)\\n - [https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e](https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e)\\n\",\"text\":\"Detects potential Google Maps API keys in code\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak\",\"id\":\"generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak\",\"name\":\"generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory\",\"MEDIUM CONFIDENCE\",\"OWASP-A3:2017 Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.\"},\"help\":{\"markdown\":\"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters)\\n - [https://trojansource.codes/](https://trojansource.codes/)\\n\",\"text\":\"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters\",\"id\":\"generic.unicode.security.bidi.contains-bidirectional-characters\",\"name\":\"generic.unicode.security.bidi.contains-bidirectional-characters\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.unicode.security.bidi.contains-bidirectional-characters\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your \u003cscript\u003e and \u003clink\u003e tags pointing to CDN content to ensure the resources have not been compromised. A crossorigin attribute should also be added. For a more thorough explanation along with explicit instructions on remediating, follow the directions from Mozilla here: https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/\"},\"help\":{\"markdown\":\"Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your \u003cscript\u003e and \u003clink\u003e tags pointing to CDN content to ensure the resources have not been compromised. A crossorigin attribute should also be added. For a more thorough explanation along with explicit instructions on remediating, follow the directions from Mozilla here: https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs)\\n - [https://cwe.mitre.org/data/definitions/352.html](https://cwe.mitre.org/data/definitions/352.html)\\n - [https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/](https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/)\\n\",\"text\":\"Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your \u003cscript\u003e and \u003clink\u003e tags pointing to CDN content to ensure the resources have not been compromised. A crossorigin attribute should also be added. For a more thorough explanation along with explicit instructions on remediating, follow the directions from Mozilla here: https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs\",\"id\":\"generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs\",\"name\":\"generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-346: Origin Validation Error\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\\\"true\\\" attribute on \u003capex:outputText\u003e tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.\"},\"help\":{\"markdown\":\"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\\\"true\\\" attribute on \u003capex:outputText\u003e tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param)\\n - [https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm](https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm)\\n\",\"text\":\"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\\\"true\\\" attribute on \u003capex:outputText\u003e tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param\",\"id\":\"generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param\",\"name\":\"generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Visualforce Pages must have the cspHeader attribute set to true. This attribute is available in API version 55 or higher.\"},\"help\":{\"markdown\":\"Visualforce Pages must have the cspHeader attribute set to true. This attribute is available in API version 55 or higher.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute)\\n - [https://help.salesforce.com/s/articleView?id=sf.csp_trusted_sites.htm\u0026type=5](https://help.salesforce.com/s/articleView?id=sf.csp_trusted_sites.htm\u0026type=5)\\n\",\"text\":\"Visualforce Pages must have the cspHeader attribute set to true. This attribute is available in API version 55 or higher.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute\",\"id\":\"generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute\",\"name\":\"generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Visualforce Pages must use API version 55 or higher for required use of the cspHeader attribute set to true.\"},\"help\":{\"markdown\":\"Visualforce Pages must use API version 55 or higher for required use of the cspHeader attribute set to true.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version)\\n - [https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_pages.htm](https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_pages.htm)\\n\",\"text\":\"Visualforce Pages must use API version 55 or higher for required use of the cspHeader attribute set to true.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version\",\"id\":\"generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version\",\"name\":\"generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.aws-lambda.security.database-sqli.database-sqli)\\n - [https://pkg.go.dev/database/sql#DB.Query](https://pkg.go.dev/database/sql#DB.Query)\\n\",\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.aws-lambda.security.database-sqli.database-sqli\",\"id\":\"go.aws-lambda.security.database-sqli.database-sqli\",\"name\":\"go.aws-lambda.security.database-sqli.database-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.aws-lambda.security.database-sqli.database-sqli\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\"},\"help\":{\"markdown\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.aws-lambda.security.tainted-sql-string.tainted-sql-string)\\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\\n\",\"text\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.aws-lambda.security.tainted-sql-string.tainted-sql-string\",\"id\":\"go.aws-lambda.security.tainted-sql-string.tainted-sql-string\",\"name\":\"go.aws-lambda.security.tainted-sql-string.tainted-sql-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.aws-lambda.security.tainted-sql-string.tainted-sql-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Options struct.\"},\"help\":{\"markdown\":\"A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Options struct.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly)\\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69)\\n\",\"text\":\"A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Options struct.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly\",\"id\":\"go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly\",\"name\":\"go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\"},\"help\":{\"markdown\":\"A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure)\\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69)\\n\",\"text\":\"A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure\",\"id\":\"go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure\",\"name\":\"go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.\"},\"help\":{\"markdown\":\"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone)\\n - [https://pkg.go.dev/github.com/gorilla/sessions#Options](https://pkg.go.dev/github.com/gorilla/sessions#Options)\\n\",\"text\":\"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone\",\"id\":\"go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone\",\"name\":\"go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1275: Sensitive Cookie with Improper SameSite Attribute\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \\\"gorilla/websocket\\\" documentation: \\\"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\\\"\"},\"help\":{\"markdown\":\"The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \\\"gorilla/websocket\\\" documentation: \\\"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\\\"\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check)\\n - [https://pkg.go.dev/github.com/gorilla/websocket#Upgrader](https://pkg.go.dev/github.com/gorilla/websocket#Upgrader)\\n\",\"text\":\"The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \\\"gorilla/websocket\\\" documentation: \\\"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\\\"\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check\",\"id\":\"go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check\",\"name\":\"go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-352: Cross-Site Request Forgery (CSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found an insecure gRPC connection using \u0027grpc.WithInsecure()\u0027. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the \u0027grpc.WithTransportCredentials()\u0027 function. You can create a create credentials using a \u0027tls.Config{}\u0027 struct with \u0027credentials.NewTLS()\u0027. The final fix looks like this: \u0027grpc.WithTransportCredentials(credentials.NewTLS(\u003cconfig\u003e))\u0027.\"},\"help\":{\"markdown\":\"Found an insecure gRPC connection using \u0027grpc.WithInsecure()\u0027. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the \u0027grpc.WithTransportCredentials()\u0027 function. You can create a create credentials using a \u0027tls.Config{}\u0027 struct with \u0027credentials.NewTLS()\u0027. The final fix looks like this: \u0027grpc.WithTransportCredentials(credentials.NewTLS(\u003cconfig\u003e))\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection)\\n - [https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption](https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption)\\n\",\"text\":\"Found an insecure gRPC connection using \u0027grpc.WithInsecure()\u0027. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the \u0027grpc.WithTransportCredentials()\u0027 function. You can create a create credentials using a \u0027tls.Config{}\u0027 struct with \u0027credentials.NewTLS()\u0027. The final fix looks like this: \u0027grpc.WithTransportCredentials(credentials.NewTLS(\u003cconfig\u003e))\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection\",\"id\":\"go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection\",\"name\":\"go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-300: Channel Accessible by Non-Endpoint\",\"HIGH CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found an insecure gRPC server without \u0027grpc.Creds()\u0027 or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using \u0027credentials.NewServerTLSFromFile(\\\"cert.pem\\\", \\\"cert.key\\\")\u0027.\"},\"help\":{\"markdown\":\"Found an insecure gRPC server without \u0027grpc.Creds()\u0027 or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using \u0027credentials.NewServerTLSFromFile(\\\"cert.pem\\\", \\\"cert.key\\\")\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection)\\n - [https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption](https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption)\\n\",\"text\":\"Found an insecure gRPC server without \u0027grpc.Creds()\u0027 or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using \u0027credentials.NewServerTLSFromFile(\\\"cert.pem\\\", \\\"cert.key\\\")\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection\",\"id\":\"go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection\",\"name\":\"go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-300: Channel Accessible by Non-Endpoint\",\"HIGH CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected the decoding of a JWT token without a verify step. Don\u0027t use `ParseUnverified` unless you know what you\u0027re doing This method parses the token but doesn\u0027t validate the signature. It\u0027s only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it.\"},\"help\":{\"markdown\":\"Detected the decoding of a JWT token without a verify step. Don\u0027t use `ParseUnverified` unless you know what you\u0027re doing This method parses the token but doesn\u0027t validate the signature. It\u0027s only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified)\\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\\n\",\"text\":\"Detected the decoding of a JWT token without a verify step. Don\u0027t use `ParseUnverified` unless you know what you\u0027re doing This method parses the token but doesn\u0027t validate the signature. It\u0027s only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified\",\"id\":\"go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified\",\"name\":\"go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-345: Insufficient Verification of Data Authenticity\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\"},\"help\":{\"markdown\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm\",\"id\":\"go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm\",\"name\":\"go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\"},\"help\":{\"markdown\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.jwt-go.security.jwt.hardcoded-jwt-key)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\\n\",\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.jwt-go.security.jwt.hardcoded-jwt-key\",\"id\":\"go.jwt-go.security.jwt.hardcoded-jwt-key\",\"name\":\"go.jwt-go.security.jwt.hardcoded-jwt-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.jwt-go.security.jwt.hardcoded-jwt-key\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The package `net/http/cgi` is on the import blocklist. The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` or a web framework to build a web application instead.\"},\"help\":{\"markdown\":\"The package `net/http/cgi` is on the import blocklist. The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` or a web framework to build a web application instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.bad_imports.insecure-module-used)\\n - [https://godoc.org/golang.org/x/crypto/sha3](https://godoc.org/golang.org/x/crypto/sha3)\\n\",\"text\":\"The package `net/http/cgi` is on the import blocklist. The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` or a web framework to build a web application instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.bad_imports.insecure-module-used\",\"id\":\"go.lang.security.audit.crypto.bad_imports.insecure-module-used\",\"name\":\"go.lang.security.audit.crypto.bad_imports.insecure-module-used\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.bad_imports.insecure-module-used\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Disabled host key verification detected. This allows man-in-the-middle attacks. Use the \u0027golang.org/x/crypto/ssh/knownhosts\u0027 package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it.\"},\"help\":{\"markdown\":\"Disabled host key verification detected. This allows man-in-the-middle attacks. Use the \u0027golang.org/x/crypto/ssh/knownhosts\u0027 package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key)\\n - [https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/](https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/)\\n - [https://gist.github.com/Skarlso/34321a230cf0245018288686c9e70b2d](https://gist.github.com/Skarlso/34321a230cf0245018288686c9e70b2d)\\n\",\"text\":\"Disabled host key verification detected. This allows man-in-the-middle attacks. Use the \u0027golang.org/x/crypto/ssh/knownhosts\u0027 package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key\",\"id\":\"go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key\",\"name\":\"go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-322: Key Exchange without Entity Authentication\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Do not use `math/rand`. Use `crypto/rand` instead.\"},\"help\":{\"markdown\":\"Do not use `math/rand`. Use `crypto/rand` instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation)\\n\",\"text\":\"Do not use `math/rand`. Use `crypto/rand` instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used\",\"id\":\"go.lang.security.audit.crypto.math_random.math-random-used\",\"name\":\"go.lang.security.audit.crypto.math_random.math-random-used\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.math_random.math-random-used\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"`MinVersion` is missing from this TLS configuration. By default, as of Go 1.22, TLS 1.2 is currently used as the minimum. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13\u0027 to the TLS configuration to bump the minimum version to TLS 1.3.\"},\"help\":{\"markdown\":\"`MinVersion` is missing from this TLS configuration. By default, as of Go 1.22, TLS 1.2 is currently used as the minimum. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13\u0027 to the TLS configuration to bump the minimum version to TLS 1.3.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion)\\n - [https://go.dev/doc/go1.22#minor_library_changes](https://go.dev/doc/go1.22#minor_library_changes)\\n - [https://pkg.go.dev/crypto/tls#:~:text=MinVersion](https://pkg.go.dev/crypto/tls#:~:text=MinVersion)\\n - [https://www.us-cert.gov/ncas/alerts/TA14-290A](https://www.us-cert.gov/ncas/alerts/TA14-290A)\\n\",\"text\":\"`MinVersion` is missing from this TLS configuration. By default, as of Go 1.22, TLS 1.2 is currently used as the minimum. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13\u0027 to the TLS configuration to bump the minimum version to TLS 1.3.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion\",\"id\":\"go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion\",\"name\":\"go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\"},\"help\":{\"markdown\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.sha224-hash.sha224-hash)\\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\\n\",\"text\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.sha224-hash.sha224-hash\",\"id\":\"go.lang.security.audit.crypto.sha224-hash.sha224-hash\",\"name\":\"go.lang.security.audit.crypto.sha224-hash.sha224-hash\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.sha224-hash.sha224-hash\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use \u0027tls.VersionTLS13\u0027.\"},\"help\":{\"markdown\":\"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use \u0027tls.VersionTLS13\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure)\\n - [https://golang.org/doc/go1.14#crypto/tls](https://golang.org/doc/go1.14#crypto/tls)\\n - [https://www.us-cert.gov/ncas/alerts/TA14-290A](https://www.us-cert.gov/ncas/alerts/TA14-290A)\\n\",\"text\":\"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use \u0027tls.VersionTLS13\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure\",\"id\":\"go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure\",\"name\":\"go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an insecure CipherSuite via the \u0027tls\u0027 module. This suite is considered weak. Use the function \u0027tls.CipherSuites()\u0027 to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.\"},\"help\":{\"markdown\":\"Detected an insecure CipherSuite via the \u0027tls\u0027 module. This suite is considered weak. Use the function \u0027tls.CipherSuites()\u0027 to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher)\\n - [https://golang.org/pkg/crypto/tls/#InsecureCipherSuites](https://golang.org/pkg/crypto/tls/#InsecureCipherSuites)\\n\",\"text\":\"Detected an insecure CipherSuite via the \u0027tls\u0027 module. This suite is considered weak. Use the function \u0027tls.CipherSuites()\u0027 to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher\",\"id\":\"go.lang.security.audit.crypto.tls.tls-with-insecure-cipher\",\"name\":\"go.lang.security.audit.crypto.tls.tls-with-insecure-cipher\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.tls.tls-with-insecure-cipher\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead.\"},\"help\":{\"markdown\":\"Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES\",\"id\":\"go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES\",\"name\":\"go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\"},\"help\":{\"markdown\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5\",\"id\":\"go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5\",\"name\":\"go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead.\"},\"help\":{\"markdown\":\"Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4\",\"id\":\"go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4\",\"name\":\"go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\"},\"help\":{\"markdown\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1\",\"id\":\"go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1\",\"name\":\"go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"RSA keys should be at least 2048 bits\"},\"help\":{\"markdown\":\"RSA keys should be at least 2048 bits\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\\n\",\"text\":\"RSA keys should be at least 2048 bits\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key\",\"id\":\"go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key\",\"name\":\"go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected non-static command inside Write. Audit the input to \u0027$CW.Write\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\"},\"help\":{\"markdown\":\"Detected non-static command inside Write. Audit the input to \u0027$CW.Write\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected non-static command inside Write. Audit the input to \u0027$CW.Write\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write\",\"id\":\"go.lang.security.audit.dangerous-command-write.dangerous-command-write\",\"name\":\"go.lang.security.audit.dangerous-command-write.dangerous-command-write\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.dangerous-command-write.dangerous-command-write\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected non-static command inside exec.Cmd. Audit the input to \u0027exec.Cmd\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\"},\"help\":{\"markdown\":\"Detected non-static command inside exec.Cmd. Audit the input to \u0027exec.Cmd\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected non-static command inside exec.Cmd. Audit the input to \u0027exec.Cmd\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd\",\"id\":\"go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd\",\"name\":\"go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected non-static command inside Command. Audit the input to \u0027exec.Command\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\"},\"help\":{\"markdown\":\"Detected non-static command inside Command. Audit the input to \u0027exec.Command\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-command.dangerous-exec-command)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected non-static command inside Command. Audit the input to \u0027exec.Command\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-command.dangerous-exec-command\",\"id\":\"go.lang.security.audit.dangerous-exec-command.dangerous-exec-command\",\"name\":\"go.lang.security.audit.dangerous-exec-command.dangerous-exec-command\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.dangerous-exec-command.dangerous-exec-command\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected non-static command inside Exec. Audit the input to \u0027syscall.Exec\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\"},\"help\":{\"markdown\":\"Detected non-static command inside Exec. Audit the input to \u0027syscall.Exec\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected non-static command inside Exec. Audit the input to \u0027syscall.Exec\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec\",\"id\":\"go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec\",\"name\":\"go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"String-formatted SQL query detected. This could lead to SQL injection if the string is not sanitized properly. Audit this call to ensure the SQL is not manipulable by external data.\"},\"help\":{\"markdown\":\"String-formatted SQL query detected. This could lead to SQL injection if the string is not sanitized properly. Audit this call to ensure the SQL is not manipulable by external data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.database.string-formatted-query.string-formatted-query)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"String-formatted SQL query detected. This could lead to SQL injection if the string is not sanitized properly. Audit this call to ensure the SQL is not manipulable by external data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.database.string-formatted-query.string-formatted-query\",\"id\":\"go.lang.security.audit.database.string-formatted-query.string-formatted-query\",\"name\":\"go.lang.security.audit.database.string-formatted-query.string-formatted-query\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.database.string-formatted-query.string-formatted-query\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package.\"},\"help\":{\"markdown\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.md5-used-as-password.md5-used-as-password)\\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\\n - [https://pkg.go.dev/golang.org/x/crypto/bcrypt](https://pkg.go.dev/golang.org/x/crypto/bcrypt)\\n\",\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"id\":\"go.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"name\":\"go.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.md5-used-as-password.md5-used-as-password\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\"},\"help\":{\"markdown\":\"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces\",\"id\":\"go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces\",\"name\":\"go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\",\"HIGH CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Cookie.\"},\"help\":{\"markdown\":\"A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Cookie.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly)\\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go)\\n - [https://golang.org/src/net/http/cookie.go](https://golang.org/src/net/http/cookie.go)\\n\",\"text\":\"A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Cookie.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly\",\"id\":\"go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly\",\"name\":\"go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\"},\"help\":{\"markdown\":\"A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure)\\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go)\\n - [https://golang.org/src/net/http/cookie.go](https://golang.org/src/net/http/cookie.go)\\n\",\"text\":\"A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure\",\"id\":\"go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure\",\"name\":\"go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for \u0027$TRACE\u0027. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\"},\"help\":{\"markdown\":\"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for \u0027$TRACE\u0027. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace)\\n - [https://github.com/returntocorp/semgrep-rules/issues/518](https://github.com/returntocorp/semgrep-rules/issues/518)\\n\",\"text\":\"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for \u0027$TRACE\u0027. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace\",\"id\":\"go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace\",\"name\":\"go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-913: Improper Control of Dynamically-Managed Code Resources\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found a formatted template string passed to \u0027template.HTML()\u0027. \u0027template.HTML()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\"},\"help\":{\"markdown\":\"Found a formatted template string passed to \u0027template.HTML()\u0027. \u0027template.HTML()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string)\\n - [https://golang.org/pkg/html/template/#HTML](https://golang.org/pkg/html/template/#HTML)\\n\",\"text\":\"Found a formatted template string passed to \u0027template.HTML()\u0027. \u0027template.HTML()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string\",\"id\":\"go.lang.security.audit.net.formatted-template-string.formatted-template-string\",\"name\":\"go.lang.security.audit.net.formatted-template-string.formatted-template-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.formatted-template-string.formatted-template-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The profiling \u0027pprof\u0027 endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import \\\"net/http/pprof\\\"`. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation.\"},\"help\":{\"markdown\":\"The profiling \u0027pprof\u0027 endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import \\\"net/http/pprof\\\"`. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.pprof.pprof-debug-exposure)\\n - [https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/](https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/)\\n\",\"text\":\"The profiling \u0027pprof\u0027 endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import \\\"net/http/pprof\\\"`. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.pprof.pprof-debug-exposure\",\"id\":\"go.lang.security.audit.net.pprof.pprof-debug-exposure\",\"name\":\"go.lang.security.audit.net.pprof.pprof-debug-exposure\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-489: Active Debug Code\",\"LOW CONFIDENCE\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.pprof.pprof-debug-exposure\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found a formatted template string passed to \u0027template. HTMLAttr()\u0027. \u0027template.HTMLAttr()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template or validate and sanitize the data before passing it into the template.\"},\"help\":{\"markdown\":\"Found a formatted template string passed to \u0027template. HTMLAttr()\u0027. \u0027template.HTMLAttr()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template or validate and sanitize the data before passing it into the template.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr)\\n - [https://golang.org/pkg/html/template/#HTMLAttr](https://golang.org/pkg/html/template/#HTMLAttr)\\n\",\"text\":\"Found a formatted template string passed to \u0027template. HTMLAttr()\u0027. \u0027template.HTMLAttr()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template or validate and sanitize the data before passing it into the template.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr\",\"id\":\"go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr\",\"name\":\"go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found a formatted template string passed to \u0027template.JS()\u0027. \u0027template.JS()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template.\"},\"help\":{\"markdown\":\"Found a formatted template string passed to \u0027template.JS()\u0027. \u0027template.JS()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js)\\n - [https://golang.org/pkg/html/template/#JS](https://golang.org/pkg/html/template/#JS)\\n\",\"text\":\"Found a formatted template string passed to \u0027template.JS()\u0027. \u0027template.JS()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js\",\"id\":\"go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js\",\"name\":\"go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found a formatted template string passed to \u0027template.URL()\u0027. \u0027template.URL()\u0027 does not escape contents, and this could result in XSS (cross-site scripting) and therefore confidential data being stolen. Sanitize data coming into this function or make sure that no user-controlled input is coming into the function.\"},\"help\":{\"markdown\":\"Found a formatted template string passed to \u0027template.URL()\u0027. \u0027template.URL()\u0027 does not escape contents, and this could result in XSS (cross-site scripting) and therefore confidential data being stolen. Sanitize data coming into this function or make sure that no user-controlled input is coming into the function.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url)\\n - [https://golang.org/pkg/html/template/#URL](https://golang.org/pkg/html/template/#URL)\\n\",\"text\":\"Found a formatted template string passed to \u0027template.URL()\u0027. \u0027template.URL()\u0027 does not escape contents, and this could result in XSS (cross-site scripting) and therefore confidential data being stolen. Sanitize data coming into this function or make sure that no user-controlled input is coming into the function.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url\",\"id\":\"go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url\",\"name\":\"go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found an HTTP server without TLS. Use \u0027http.ListenAndServeTLS\u0027 instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\"},\"help\":{\"markdown\":\"Found an HTTP server without TLS. Use \u0027http.ListenAndServeTLS\u0027 instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls)\\n - [https://golang.org/pkg/net/http/#ListenAndServeTLS](https://golang.org/pkg/net/http/#ListenAndServeTLS)\\n\",\"text\":\"Found an HTTP server without TLS. Use \u0027http.ListenAndServeTLS\u0027 instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls\",\"id\":\"go.lang.security.audit.net.use-tls.use-tls\",\"name\":\"go.lang.security.audit.net.use-tls.use-tls\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.use-tls.use-tls\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped.\"},\"help\":{\"markdown\":\"Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf\",\"id\":\"go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf\",\"name\":\"go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"\u0027reflect.MakeFunc\u0027 detected. This will sidestep protections that are normally afforded by Go\u0027s type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability.\"},\"help\":{\"markdown\":\"\u0027reflect.MakeFunc\u0027 detected. This will sidestep protections that are normally afforded by Go\u0027s type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.reflect-makefunc.reflect-makefunc)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"\u0027reflect.MakeFunc\u0027 detected. This will sidestep protections that are normally afforded by Go\u0027s type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.reflect-makefunc.reflect-makefunc\",\"id\":\"go.lang.security.audit.reflect-makefunc.reflect-makefunc\",\"name\":\"go.lang.security.audit.reflect-makefunc.reflect-makefunc\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-913: Improper Control of Dynamically-Managed Code Resources\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.reflect-makefunc.reflect-makefunc\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a \\\"database/sql\\\" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a \\\"database/sql\\\" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.gosql-sqli.gosql-sqli)\\n - [https://golang.org/pkg/database/sql/](https://golang.org/pkg/database/sql/)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a \\\"database/sql\\\" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.sqli.gosql-sqli.gosql-sqli\",\"id\":\"go.lang.security.audit.sqli.gosql-sqli.gosql-sqli\",\"name\":\"go.lang.security.audit.sqli.gosql-sqli.gosql-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.sqli.gosql-sqli.gosql-sqli\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a go-pg ORM SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, do not use strings concatenated with user-controlled input. Instead, use parameterized statements.\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a go-pg ORM SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, do not use strings concatenated with user-controlled input. Instead, use parameterized statements.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli)\\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a go-pg ORM SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, do not use strings concatenated with user-controlled input. Instead, use parameterized statements.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli\",\"id\":\"go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli\",\"name\":\"go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: \u0027(SELECT ? FROM table, data1)\u0027\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: \u0027(SELECT ? FROM table, data1)\u0027\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli)\\n - [https://pg.uptrace.dev/](https://pg.uptrace.dev/)\\n - [https://pkg.go.dev/github.com/go-pg/pg/v10](https://pkg.go.dev/github.com/go-pg/pg/v10)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: \u0027(SELECT ? FROM table, data1)\u0027\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli\",\"id\":\"go.lang.security.audit.sqli.pg-sqli.pg-sqli\",\"name\":\"go.lang.security.audit.sqli.pg-sqli.pg-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.sqli.pg-sqli.pg-sqli\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli)\\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli\",\"id\":\"go.lang.security.audit.sqli.pgx-sqli.pgx-sqli\",\"name\":\"go.lang.security.audit.sqli.pgx-sqli.pgx-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.sqli.pgx-sqli.pgx-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If an attacker can supply values that the application then uses to determine which method or field to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\"},\"help\":{\"markdown\":\"If an attacker can supply values that the application then uses to determine which method or field to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"If an attacker can supply values that the application then uses to determine which method or field to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name\",\"id\":\"go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name\",\"name\":\"go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"When working with web applications that involve rendering user-generated content, it\u0027s important to properly escape any HTML content to prevent Cross-Site Scripting (XSS) attacks. In Go, the `text/template` package does not automatically escape HTML content, which can leave your application vulnerable to these types of attacks. To mitigate this risk, it\u0027s recommended to use the `html/template` package instead, which provides built-in functionality for HTML escaping. By using `html/template` to render your HTML content, you can help to ensure that your web application is more secure and less susceptible to XSS vulnerabilities.\"},\"help\":{\"markdown\":\"When working with web applications that involve rendering user-generated content, it\u0027s important to properly escape any HTML content to prevent Cross-Site Scripting (XSS) attacks. In Go, the `text/template` package does not automatically escape HTML content, which can leave your application vulnerable to these types of attacks. To mitigate this risk, it\u0027s recommended to use the `html/template` package instead, which provides built-in functionality for HTML escaping. By using `html/template` to render your HTML content, you can help to ensure that your web application is more secure and less susceptible to XSS vulnerabilities.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.import-text-template.import-text-template)\\n - [https://www.veracode.com/blog/secure-development/use-golang-these-mistakes-could-compromise-your-apps-security](https://www.veracode.com/blog/secure-development/use-golang-these-mistakes-could-compromise-your-apps-security)\\n\",\"text\":\"When working with web applications that involve rendering user-generated content, it\u0027s important to properly escape any HTML content to prevent Cross-Site Scripting (XSS) attacks. In Go, the `text/template` package does not automatically escape HTML content, which can leave your application vulnerable to these types of attacks. To mitigate this risk, it\u0027s recommended to use the `html/template` package instead, which provides built-in functionality for HTML escaping. By using `html/template` to render your HTML content, you can help to ensure that your web application is more secure and less susceptible to XSS vulnerabilities.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.xss.import-text-template.import-text-template\",\"id\":\"go.lang.security.audit.xss.import-text-template.import-text-template\",\"name\":\"go.lang.security.audit.xss.import-text-template.import-text-template\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.xss.import-text-template.import-text-template\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected directly writing or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package and render data using \u0027template.Execute()\u0027.\"},\"help\":{\"markdown\":\"Detected directly writing or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package and render data using \u0027template.Execute()\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter)\\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\\n\",\"text\":\"Detected directly writing or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package and render data using \u0027template.Execute()\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter\",\"id\":\"go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter\",\"name\":\"go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected \u0027Fprintf\u0027 or similar writing to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\"},\"help\":{\"markdown\":\"Detected \u0027Fprintf\u0027 or similar writing to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter)\\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\\n\",\"text\":\"Detected \u0027Fprintf\u0027 or similar writing to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter\",\"id\":\"go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter\",\"name\":\"go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected template variable interpolation in an HTML tag. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over HTML but without the need to use escaped characters. Use explicit tags instead.\"},\"help\":{\"markdown\":\"Detected template variable interpolation in an HTML tag. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over HTML but without the need to use escaped characters. Use explicit tags instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag)\\n - [https://github.com/golang/go/issues/19669](https://github.com/golang/go/issues/19669)\\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\\n\",\"text\":\"Detected template variable interpolation in an HTML tag. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over HTML but without the need to use escaped characters. Use explicit tags instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag\",\"id\":\"go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag\",\"name\":\"go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped.\"},\"help\":{\"markdown\":\"Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string)\\n - [https://github.com/golang/go/issues/9200#issuecomment-66100328](https://github.com/golang/go/issues/9200#issuecomment-66100328)\\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\\n\",\"text\":\"Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string\",\"id\":\"go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string\",\"name\":\"go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected \u0027io.WriteString()\u0027 writing directly to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\"},\"help\":{\"markdown\":\"Detected \u0027io.WriteString()\u0027 writing directly to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter)\\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\\n - [https://golang.org/pkg/io/#WriteString](https://golang.org/pkg/io/#WriteString)\\n\",\"text\":\"Detected \u0027io.WriteString()\u0027 writing directly to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter\",\"id\":\"go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter\",\"name\":\"go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected \u0027printf\u0027 or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\"},\"help\":{\"markdown\":\"Detected \u0027printf\u0027 or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter)\\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\\n\",\"text\":\"Detected \u0027printf\u0027 or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter\",\"id\":\"go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter\",\"name\":\"go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Semgrep could not determine that the argument to \u0027template.HTML()\u0027 is a constant. \u0027template.HTML()\u0027 and similar does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability. Instead, do not use this function and use \u0027template.Execute()\u0027.\"},\"help\":{\"markdown\":\"Semgrep could not determine that the argument to \u0027template.HTML()\u0027 is a constant. \u0027template.HTML()\u0027 and similar does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability. Instead, do not use this function and use \u0027template.Execute()\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type)\\n - [https://golang.org/pkg/html/template/#HTML](https://golang.org/pkg/html/template/#HTML)\\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/vulnerability/xss/xss.go#L33](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/vulnerability/xss/xss.go#L33)\\n\",\"text\":\"Semgrep could not determine that the argument to \u0027template.HTML()\u0027 is a constant. \u0027template.HTML()\u0027 and similar does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability. Instead, do not use this function and use \u0027template.Execute()\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type\",\"id\":\"go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type\",\"name\":\"go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"File creation in shared tmp directory without using `io.CreateTemp`.\"},\"help\":{\"markdown\":\"File creation in shared tmp directory without using `io.CreateTemp`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.bad_tmp.bad-tmp-file-creation)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n - [https://pkg.go.dev/io/ioutil#TempFile](https://pkg.go.dev/io/ioutil#TempFile)\\n - [https://pkg.go.dev/os#CreateTemp](https://pkg.go.dev/os#CreateTemp)\\n - [https://github.com/securego/gosec/blob/5fd2a370447223541cddb35da8d1bc707b7bb153/rules/tempfiles.go#L67](https://github.com/securego/gosec/blob/5fd2a370447223541cddb35da8d1bc707b7bb153/rules/tempfiles.go#L67)\\n\",\"text\":\"File creation in shared tmp directory without using `io.CreateTemp`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.bad_tmp.bad-tmp-file-creation\",\"id\":\"go.lang.security.bad_tmp.bad-tmp-file-creation\",\"name\":\"go.lang.security.bad_tmp.bad-tmp-file-creation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-377: Insecure Temporary File\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.bad_tmp.bad-tmp-file-creation\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a possible denial-of-service via a zip bomb attack. By limiting the max bytes read, you can mitigate this attack. `io.CopyN()` can specify a size. \"},\"help\":{\"markdown\":\"Detected a possible denial-of-service via a zip bomb attack. By limiting the max bytes read, you can mitigate this attack. `io.CopyN()` can specify a size. \\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb)\\n - [https://golang.org/pkg/io/#CopyN](https://golang.org/pkg/io/#CopyN)\\n - [https://github.com/securego/gosec/blob/master/rules/decompression-bomb.go](https://github.com/securego/gosec/blob/master/rules/decompression-bomb.go)\\n\",\"text\":\"Detected a possible denial-of-service via a zip bomb attack. By limiting the max bytes read, you can mitigate this attack. `io.CopyN()` can specify a size. \\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb\",\"id\":\"go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb\",\"name\":\"go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-400: Uncontrolled Resource Consumption\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"`Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: `filepath.FromSlash(path.Clean(\\\"/\\\"+strings.Trim(req.URL.Path, \\\"/\\\")))` However, a better solution is using the `SecureJoin` function in the package `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme.\"},\"help\":{\"markdown\":\"`Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: `filepath.FromSlash(path.Clean(\\\"/\\\"+strings.Trim(req.URL.Path, \\\"/\\\")))` However, a better solution is using the `SecureJoin` function in the package `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.filepath-clean-misuse.filepath-clean-misuse)\\n - [https://pkg.go.dev/path#Clean](https://pkg.go.dev/path#Clean)\\n - [http://technosophos.com/2016/03/31/go-quickly-cleaning-filepaths.html](http://technosophos.com/2016/03/31/go-quickly-cleaning-filepaths.html)\\n - [https://labs.detectify.com/2021/12/15/zero-day-path-traversal-grafana/](https://labs.detectify.com/2021/12/15/zero-day-path-traversal-grafana/)\\n - [https://dzx.cz/2021/04/02/go_path_traversal/](https://dzx.cz/2021/04/02/go_path_traversal/)\\n - [https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme](https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme)\\n\",\"text\":\"`Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: `filepath.FromSlash(path.Clean(\\\"/\\\"+strings.Trim(req.URL.Path, \\\"/\\\")))` However, a better solution is using the `SecureJoin` function in the package `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.filepath-clean-misuse.filepath-clean-misuse\",\"id\":\"go.lang.security.filepath-clean-misuse.filepath-clean-misuse\",\"name\":\"go.lang.security.filepath-clean-misuse.filepath-clean-misuse\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.filepath-clean-misuse.filepath-clean-misuse\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"An HTTP redirect was found to be crafted from user-input `$REQUEST`. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist.\"},\"help\":{\"markdown\":\"An HTTP redirect was found to be crafted from user-input `$REQUEST`. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.open-redirect.open-redirect)\\n - [https://knowledge-base.secureflag.com/vulnerabilities/unvalidated_redirects___forwards/open_redirect_go_lang.html](https://knowledge-base.secureflag.com/vulnerabilities/unvalidated_redirects___forwards/open_redirect_go_lang.html)\\n\",\"text\":\"An HTTP redirect was found to be crafted from user-input `$REQUEST`. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.injection.open-redirect.open-redirect\",\"id\":\"go.lang.security.injection.open-redirect.open-redirect\",\"name\":\"go.lang.security.injection.open-redirect.open-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.injection.open-redirect.open-redirect\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely.\"},\"help\":{\"markdown\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.raw-html-format.raw-html-format)\\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\\n\",\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.injection.raw-html-format.raw-html-format\",\"id\":\"go.lang.security.injection.raw-html-format.raw-html-format\",\"name\":\"go.lang.security.injection.raw-html-format.raw-html-format\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.injection.raw-html-format.raw-html-format\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\\\"SELECT * FROM t WHERE id = ?\\\", id)`) or a safe library.\"},\"help\":{\"markdown\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\\\"SELECT * FROM t WHERE id = ?\\\", id)`) or a safe library.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.tainted-sql-string.tainted-sql-string)\\n - [https://golang.org/doc/database/sql-injection](https://golang.org/doc/database/sql-injection)\\n - [https://www.stackhawk.com/blog/golang-sql-injection-guide-examples-and-prevention/](https://www.stackhawk.com/blog/golang-sql-injection-guide-examples-and-prevention/)\\n\",\"text\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\\\"SELECT * FROM t WHERE id = ?\\\", id)`) or a safe library.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.injection.tainted-sql-string.tainted-sql-string\",\"id\":\"go.lang.security.injection.tainted-sql-string.tainted-sql-string\",\"name\":\"go.lang.security.injection.tainted-sql-string.tainted-sql-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.injection.tainted-sql-string.tainted-sql-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist.\"},\"help\":{\"markdown\":\"A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.tainted-url-host.tainted-url-host)\\n - [https://goteleport.com/blog/ssrf-attacks/](https://goteleport.com/blog/ssrf-attacks/)\\n\",\"text\":\"A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.injection.tainted-url-host.tainted-url-host\",\"id\":\"go.lang.security.injection.tainted-url-host.tainted-url-host\",\"name\":\"go.lang.security.injection.tainted-url-host.tainted-url-host\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"HIGH CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.injection.tainted-url-host.tainted-url-host\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"ReverseProxy can remove headers added by Director. Consider using ReverseProxy.Rewrite instead of ReverseProxy.Director.\"},\"help\":{\"markdown\":\"ReverseProxy can remove headers added by Director. Consider using ReverseProxy.Rewrite instead of ReverseProxy.Director.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.reverseproxy-director.reverseproxy-director)\\n - [https://github.com/golang/go/issues/50580](https://github.com/golang/go/issues/50580)\\n\",\"text\":\"ReverseProxy can remove headers added by Director. Consider using ReverseProxy.Rewrite instead of ReverseProxy.Director.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.reverseproxy-director.reverseproxy-director\",\"id\":\"go.lang.security.reverseproxy-director.reverseproxy-director\",\"name\":\"go.lang.security.reverseproxy-director.reverseproxy-director\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-115: Misinterpretation of Input\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.reverseproxy-director.reverseproxy-director\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"File traversal when extracting zip archive\"},\"help\":{\"markdown\":\"File traversal when extracting zip archive\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.zip.path-traversal-inside-zip-extraction)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"File traversal when extracting zip archive\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.zip.path-traversal-inside-zip-extraction\",\"id\":\"go.lang.security.zip.path-traversal-inside-zip-extraction\",\"name\":\"go.lang.security.zip.path-traversal-inside-zip-extraction\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.zip.path-traversal-inside-zip-extraction\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected non-static script inside otto VM. Audit the input to \u0027VM.Run\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\"},\"help\":{\"markdown\":\"Detected non-static script inside otto VM. Audit the input to \u0027VM.Run\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.otto.security.audit.dangerous-execution.dangerous-execution)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected non-static script inside otto VM. Audit the input to \u0027VM.Run\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.otto.security.audit.dangerous-execution.dangerous-execution\",\"id\":\"go.otto.security.audit.dangerous-execution.dangerous-execution\",\"name\":\"go.otto.security.audit.dangerous-execution.dangerous-execution\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.otto.security.audit.dangerous-execution.dangerous-execution\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This tag is missing an \u0027integrity\u0027 subresource integrity attribute. The \u0027integrity\u0027 attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you\u2019re telling the browser to fetch in the \u0027integrity\u0027 attribute for all externally hosted files.\"},\"help\":{\"markdown\":\"This tag is missing an \u0027integrity\u0027 subresource integrity attribute. The \u0027integrity\u0027 attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you\u2019re telling the browser to fetch in the \u0027integrity\u0027 attribute for all externally hosted files.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity)\\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\\n\",\"text\":\"This tag is missing an \u0027integrity\u0027 subresource integrity attribute. The \u0027integrity\u0027 attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you\u2019re telling the browser to fetch in the \u0027integrity\u0027 attribute for all externally hosted files.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity\",\"id\":\"html.security.audit.missing-integrity.missing-integrity\",\"name\":\"html.security.audit.missing-integrity.missing-integrity\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-353: Missing Support for Integrity Check\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: html.security.audit.missing-integrity.missing-integrity\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.\"},\"help\":{\"markdown\":\"This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/html.security.plaintext-http-link.plaintext-http-link)\\n - [https://cwe.mitre.org/data/definitions/319.html](https://cwe.mitre.org/data/definitions/319.html)\\n\",\"text\":\"This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/html.security.plaintext-http-link.plaintext-http-link\",\"id\":\"html.security.plaintext-http-link.plaintext-http-link\",\"name\":\"html.security.plaintext-http-link.plaintext-http-link\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: html.security.plaintext-http-link.plaintext-http-link\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application\u0027s control plane.\"},\"help\":{\"markdown\":\"The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application\u0027s control plane.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.android.security.exported_activity.exported_activity)\\n - [https://cwe.mitre.org/data/definitions/926.html](https://cwe.mitre.org/data/definitions/926.html)\\n\",\"text\":\"The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application\u0027s control plane.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.android.security.exported_activity.exported_activity\",\"id\":\"java.android.security.exported_activity.exported_activity\",\"name\":\"java.android.security.exported_activity.exported_activity\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-926: Improper Export of Android Application Components\",\"MEDIUM CONFIDENCE\",\"OWASP-A5:2021 Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.android.security.exported_activity.exported_activity\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\"},\"help\":{\"markdown\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string)\\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\\n\",\"text\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string\",\"id\":\"java.aws-lambda.security.tainted-sql-string.tainted-sql-string\",\"name\":\"java.aws-lambda.security.tainted-sql-string.tainted-sql-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.aws-lambda.security.tainted-sql-string.tainted-sql-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sqli.tainted-sqli)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.aws-lambda.security.tainted-sqli.tainted-sqli\",\"id\":\"java.aws-lambda.security.tainted-sqli.tainted-sqli\",\"name\":\"java.aws-lambda.security.tainted-sqli.tainted-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.aws-lambda.security.tainted-sqli.tainted-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\"},\"help\":{\"markdown\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify)\\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\\n\",\"text\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify\",\"id\":\"java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify\",\"name\":\"java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-345: Insufficient Verification of Data Authenticity\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\"},\"help\":{\"markdown\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\\n\",\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret\",\"id\":\"java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret\",\"name\":\"java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"HIGH CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\"},\"help\":{\"markdown\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg\",\"id\":\"java.java-jwt.security.jwt-none-alg.java-jwt-none-alg\",\"name\":\"java.java-jwt.security.jwt-none-alg.java-jwt-none-alg\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.java-jwt.security.jwt-none-alg.java-jwt-none-alg\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\"},\"help\":{\"markdown\":\"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal)\\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\\n\",\"text\":\"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal\",\"id\":\"java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal\",\"name\":\"java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\"},\"help\":{\"markdown\":\"Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.jboss.security.seam-log-injection.seam-log-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.jboss.security.seam-log-injection.seam-log-injection\",\"id\":\"java.jboss.security.seam-log-injection.seam-log-injection\",\"name\":\"java.jboss.security.seam-log-injection.seam-log-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.jboss.security.seam-log-injection.seam-log-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"In $METHOD, $X is used to construct a SQL query via string concatenation.\"},\"help\":{\"markdown\":\"In $METHOD, $X is used to construct a SQL query via string concatenation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"In $METHOD, $X is used to construct a SQL query via string concatenation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation\",\"id\":\"java.jboss.security.session_sqli.find-sql-string-concatenation\",\"name\":\"java.jboss.security.session_sqli.find-sql-string-concatenation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.jboss.security.session_sqli.find-sql-string-concatenation\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\"},\"help\":{\"markdown\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg\",\"id\":\"java.jjwt.security.jwt-none-alg.jjwt-none-alg\",\"name\":\"java.jjwt.security.jwt-none-alg.jjwt-none-alg\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.jjwt.security.jwt-none-alg.jjwt-none-alg\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\"},\"help\":{\"markdown\":\"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind\",\"id\":\"java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind\",\"name\":\"java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-287: Improper Authentication\",\"LOW CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\\\"%02X\\\", ...)\u0027 instead.\"},\"help\":{\"markdown\":\"\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\\\"%02X\\\", ...)\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion)\\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\\n\",\"text\":\"\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\\\"%02X\\\", ...)\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion\",\"id\":\"java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion\",\"name\":\"java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-704: Incorrect Type Conversion or Cast\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.\"},\"help\":{\"markdown\":\"Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size\",\"id\":\"java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size\",\"name\":\"java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use \u0027AES/GCM/NoPadding\u0027 instead.\"},\"help\":{\"markdown\":\"Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use \u0027AES/GCM/NoPadding\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle)\\n - [https://capec.mitre.org/data/definitions/463.html](https://capec.mitre.org/data/definitions/463.html)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes)\\n - [https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY](https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY)\\n\",\"text\":\"Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use \u0027AES/GCM/NoPadding\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle\",\"id\":\"java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle\",\"name\":\"java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\"},\"help\":{\"markdown\":\"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call\",\"id\":\"java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call\",\"name\":\"java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\"},\"help\":{\"markdown\":\"A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.command-injection-process-builder.command-injection-process-builder)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.command-injection-process-builder.command-injection-process-builder\",\"id\":\"java.lang.security.audit.command-injection-process-builder.command-injection-process-builder\",\"name\":\"java.lang.security.audit.command-injection-process-builder.command-injection-process-builder\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.command-injection-process-builder.command-injection-process-builder\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\"},\"help\":{\"markdown\":\"A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly)\\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\\n\",\"text\":\"A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly\",\"id\":\"java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly\",\"name\":\"java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\"},\"help\":{\"markdown\":\"A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag)\\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\\n\",\"text\":\"A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag\",\"id\":\"java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag\",\"name\":\"java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\"},\"help\":{\"markdown\":\"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs\",\"id\":\"java.lang.security.audit.crlf-injection-logs.crlf-injection-logs\",\"name\":\"java.lang.security.audit.crlf-injection-logs.crlf-injection-logs\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crlf-injection-logs.crlf-injection-logs\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.\"},\"help\":{\"markdown\":\"DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated)\\n - [https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard](https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\\n\",\"text\":\"DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated\",\"id\":\"java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated\",\"name\":\"java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.\"},\"help\":{\"markdown\":\"Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated)\\n - [https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA](https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA)\\n\",\"text\":\"Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated\",\"id\":\"java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated\",\"name\":\"java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\"},\"help\":{\"markdown\":\"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher\",\"id\":\"java.lang.security.audit.crypto.ecb-cipher.ecb-cipher\",\"name\":\"java.lang.security.audit.crypto.ecb-cipher.ecb-cipher\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.ecb-cipher.ecb-cipher\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"GCM IV/nonce is reused: encryption can be totally useless\"},\"help\":{\"markdown\":\"GCM IV/nonce is reused: encryption can be totally useless\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"GCM IV/nonce is reused: encryption can be totally useless\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse\",\"id\":\"java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse\",\"name\":\"java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-323: Reusing a Nonce, Key Pair in Encryption\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\"},\"help\":{\"markdown\":\"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher\",\"id\":\"java.lang.security.audit.crypto.no-null-cipher.no-null-cipher\",\"name\":\"java.lang.security.audit.crypto.no-null-cipher.no-null-cipher\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.no-null-cipher.no-null-cipher\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\"},\"help\":{\"markdown\":\"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector)\\n - [https://cwe.mitre.org/data/definitions/329.html](https://cwe.mitre.org/data/definitions/329.html)\\n\",\"text\":\"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector\",\"id\":\"java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector\",\"name\":\"java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-329: Generation of Predictable IV with CBC Mode\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Using RSA without OAEP mode weakens the encryption.\"},\"help\":{\"markdown\":\"Using RSA without OAEP mode weakens the encryption.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding)\\n - [https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/](https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/)\\n\",\"text\":\"Using RSA without OAEP mode weakens the encryption.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding\",\"id\":\"java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding\",\"name\":\"java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\\\"SHA256\\\");\"},\"help\":{\"markdown\":\"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\\\"SHA256\\\");\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms)\\n\",\"text\":\"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\\\"SHA256\\\");\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests\",\"id\":\"java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests\",\"name\":\"java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead.\"},\"help\":{\"markdown\":\"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated\",\"id\":\"java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated\",\"name\":\"java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.\"},\"help\":{\"markdown\":\"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier\",\"id\":\"java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier\",\"name\":\"java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-295: Improper Certificate Validation\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information.\"},\"help\":{\"markdown\":\"Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager)\\n - [https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https](https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https)\\n\",\"text\":\"Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager\",\"id\":\"java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager\",\"name\":\"java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-295: Improper Certificate Validation\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead.\"},\"help\":{\"markdown\":\"Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket\",\"id\":\"java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket\",\"name\":\"java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Use of AES with ECB mode detected. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\"},\"help\":{\"markdown\":\"Use of AES with ECB mode detected. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\\n\",\"text\":\"Use of AES with ECB mode detected. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb\",\"id\":\"java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb\",\"name\":\"java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\"},\"help\":{\"markdown\":\"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\\n\",\"text\":\"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish\",\"id\":\"java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish\",\"name\":\"java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\"},\"help\":{\"markdown\":\"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\\n\",\"text\":\"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes\",\"id\":\"java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes\",\"name\":\"java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\"},\"help\":{\"markdown\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils\",\"id\":\"java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils\",\"name\":\"java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\"},\"help\":{\"markdown\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5\",\"id\":\"java.lang.security.audit.crypto.use-of-md5.use-of-md5\",\"name\":\"java.lang.security.audit.crypto.use-of-md5.use-of-md5\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.use-of-md5.use-of-md5\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\"},\"help\":{\"markdown\":\"Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\\n\",\"text\":\"Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2\",\"id\":\"java.lang.security.audit.crypto.use-of-rc2.use-of-rc2\",\"name\":\"java.lang.security.audit.crypto.use-of-rc2.use-of-rc2\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.use-of-rc2.use-of-rc2\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\"},\"help\":{\"markdown\":\"Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\\n\",\"text\":\"Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4\",\"id\":\"java.lang.security.audit.crypto.use-of-rc4.use-of-rc4\",\"name\":\"java.lang.security.audit.crypto.use-of-rc4.use-of-rc4\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.use-of-rc4.use-of-rc4\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\"},\"help\":{\"markdown\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1\",\"id\":\"java.lang.security.audit.crypto.use-of-sha1.use-of-sha1\",\"name\":\"java.lang.security.audit.crypto.use-of-sha1.use-of-sha1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.use-of-sha1.use-of-sha1\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\"},\"help\":{\"markdown\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224)\\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\\n\",\"text\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224\",\"id\":\"java.lang.security.audit.crypto.use-of-sha224.use-of-sha224\",\"name\":\"java.lang.security.audit.crypto.use-of-sha224.use-of-sha224\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.use-of-sha224.use-of-sha224\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.\"},\"help\":{\"markdown\":\"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random\",\"id\":\"java.lang.security.audit.crypto.weak-random.weak-random\",\"name\":\"java.lang.security.audit.crypto.weak-random.weak-random\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-330: Use of Insufficiently Random Values\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.weak-random.weak-random\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"RSA keys should be at least 2048 bits based on NIST recommendation.\"},\"help\":{\"markdown\":\"RSA keys should be at least 2048 bits based on NIST recommendation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\\n\",\"text\":\"RSA keys should be at least 2048 bits based on NIST recommendation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key\",\"id\":\"java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key\",\"name\":\"java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\"},\"help\":{\"markdown\":\"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell\",\"id\":\"java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell\",\"name\":\"java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\"},\"help\":{\"markdown\":\"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection\",\"id\":\"java.lang.security.audit.el-injection.el-injection\",\"name\":\"java.lang.security.audit.el-injection.el-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.el-injection.el-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\"},\"help\":{\"markdown\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string.formatted-sql-string)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n - [https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps)\\n - [https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement](https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement)\\n\",\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string.formatted-sql-string\",\"id\":\"java.lang.security.audit.formatted-sql-string.formatted-sql-string\",\"name\":\"java.lang.security.audit.formatted-sql-string.formatted-sql-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.formatted-sql-string.formatted-sql-string\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\"},\"help\":{\"markdown\":\"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting)\\n - [https://www.owasp.org/index.php/HTTP_Response_Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting)\\n\",\"text\":\"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting\",\"id\":\"java.lang.security.audit.http-response-splitting.http-response-splitting\",\"name\":\"java.lang.security.audit.http-response-splitting.http-response-splitting\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.http-response-splitting.http-response-splitting\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting \u0027email.setSSLCheckServerIdentity(true)\u0027.\"},\"help\":{\"markdown\":\"Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting \u0027email.setSSLCheckServerIdentity(true)\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting \u0027email.setSSLCheckServerIdentity(true)\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection\",\"id\":\"java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection\",\"name\":\"java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-297: Improper Validation of Certificate with Host Mismatch\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Semgrep found potential reverse shell behavior\"},\"help\":{\"markdown\":\"Semgrep found potential reverse shell behavior\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.java-reverse-shell.java-reverse-shell)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Semgrep found potential reverse shell behavior\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.java-reverse-shell.java-reverse-shell\",\"id\":\"java.lang.security.audit.java-reverse-shell.java-reverse-shell\",\"name\":\"java.lang.security.audit.java-reverse-shell.java-reverse-shell\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.java-reverse-shell.java-reverse-shell\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: \u0027jdbc.queryForObject(\\\"select * from table where name = ?\\\", Integer.class, parameterName);\u0027\"},\"help\":{\"markdown\":\"Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: \u0027jdbc.queryForObject(\\\"select * from table where name = ?\\\", Integer.class, parameterName);\u0027\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: \u0027jdbc.queryForObject(\\\"select * from table where name = ?\\\", Integer.class, parameterName);\u0027\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string\",\"id\":\"java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string\",\"name\":\"java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution.\"},\"help\":{\"markdown\":\"An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning)\\n - [https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning\",\"id\":\"java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning\",\"name\":\"java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data.\"},\"help\":{\"markdown\":\"Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.ldap-injection.ldap-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.ldap-injection.ldap-injection\",\"id\":\"java.lang.security.audit.ldap-injection.ldap-injection\",\"name\":\"java.lang.security.audit.ldap-injection.ldap-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.ldap-injection.ldap-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\\\"PBKDF2WithHmacSHA1\\\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.\"},\"help\":{\"markdown\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\\\"PBKDF2WithHmacSHA1\\\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.md5-used-as-password.md5-used-as-password)\\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\\n - [https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory](https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory)\\n - [https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html)\\n\",\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\\\"PBKDF2WithHmacSHA1\\\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"id\":\"java.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"name\":\"java.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.md5-used-as-password.md5-used-as-password\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.\"},\"help\":{\"markdown\":\"Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.object-deserialization.object-deserialization)\\n - [https://www.owasp.org/index.php/Deserialization_of_untrusted_data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data)\\n - [https://www.oracle.com/java/technologies/javase/seccodeguide.html#8](https://www.oracle.com/java/technologies/javase/seccodeguide.html#8)\\n\",\"text\":\"Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.object-deserialization.object-deserialization\",\"id\":\"java.lang.security.audit.object-deserialization.object-deserialization\",\"name\":\"java.lang.security.audit.object-deserialization.object-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.object-deserialization.object-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\"},\"help\":{\"markdown\":\"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.ognl-injection.ognl-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.ognl-injection.ognl-injection\",\"id\":\"java.lang.security.audit.ognl-injection.ognl-injection\",\"name\":\"java.lang.security.audit.ognl-injection.ognl-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.ognl-injection.ognl-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.\"},\"help\":{\"markdown\":\"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission\",\"id\":\"java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission\",\"name\":\"java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-276: Incorrect Default Permissions\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.\"},\"help\":{\"markdown\":\"https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.permissive-cors.permissive-cors)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.permissive-cors.permissive-cors\",\"id\":\"java.lang.security.audit.permissive-cors.permissive-cors\",\"name\":\"java.lang.security.audit.permissive-cors.permissive-cors\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-183: Permissive List of Allowed Inputs\",\"LOW CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.permissive-cors.permissive-cors\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter \u0027.eval()\u0027, otherwise, this is a code injection vulnerability.\"},\"help\":{\"markdown\":\"Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter \u0027.eval()\u0027, otherwise, this is a code injection vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.script-engine-injection.script-engine-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter \u0027.eval()\u0027, otherwise, this is a code injection vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.script-engine-injection.script-engine-injection\",\"id\":\"java.lang.security.audit.script-engine-injection.script-engine-injection\",\"name\":\"java.lang.security.audit.script-engine-injection.script-engine-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.script-engine-injection.script-engine-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\"},\"help\":{\"markdown\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli\",\"id\":\"java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli\",\"name\":\"java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\"},\"help\":{\"markdown\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli\",\"id\":\"java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli\",\"name\":\"java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\"},\"help\":{\"markdown\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jdo-sqli.jdo-sqli)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.sqli.jdo-sqli.jdo-sqli\",\"id\":\"java.lang.security.audit.sqli.jdo-sqli.jdo-sqli\",\"name\":\"java.lang.security.audit.sqli.jdo-sqli.jdo-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.sqli.jdo-sqli.jdo-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\"},\"help\":{\"markdown\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli\",\"id\":\"java.lang.security.audit.sqli.jpa-sqli.jpa-sqli\",\"name\":\"java.lang.security.audit.sqli.jpa-sqli.jpa-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.sqli.jpa-sqli.jpa-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\"},\"help\":{\"markdown\":\"Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\\n\",\"text\":\"Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request\",\"id\":\"java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request\",\"name\":\"java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\"},\"help\":{\"markdown\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.turbine-sqli.turbine-sqli)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.sqli.turbine-sqli.turbine-sqli\",\"id\":\"java.lang.security.audit.sqli.turbine-sqli.turbine-sqli\",\"name\":\"java.lang.security.audit.sqli.turbine-sqli.turbine-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.sqli.turbine-sqli.turbine-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\"},\"help\":{\"markdown\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.vertx-sqli.vertx-sqli)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.sqli.vertx-sqli.vertx-sqli\",\"id\":\"java.lang.security.audit.sqli.vertx-sqli.vertx-sqli\",\"name\":\"java.lang.security.audit.sqli.vertx-sqli.vertx-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.sqli.vertx-sqli.vertx-sqli\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected input from a HTTPServletRequest going into a \u0027ProcessBuilder\u0027 or \u0027exec\u0027 command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.\"},\"help\":{\"markdown\":\"Detected input from a HTTPServletRequest going into a \u0027ProcessBuilder\u0027 or \u0027exec\u0027 command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected input from a HTTPServletRequest going into a \u0027ProcessBuilder\u0027 or \u0027exec\u0027 command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request\",\"id\":\"java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request\",\"name\":\"java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected input from a HTTPServletRequest going into the environment variables of an \u0027exec\u0027 command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\\\"command\\\", \\\"arg1\\\", \\\"arg2\\\"})`.\"},\"help\":{\"markdown\":\"Detected input from a HTTPServletRequest going into the environment variables of an \u0027exec\u0027 command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\\\"command\\\", \\\"arg1\\\", \\\"arg2\\\"})`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected input from a HTTPServletRequest going into the environment variables of an \u0027exec\u0027 command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\\\"command\\\", \\\"arg1\\\", \\\"arg2\\\"})`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request\",\"id\":\"java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request\",\"name\":\"java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-454: External Initialization of Trusted Variables or Data Stores\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\"},\"help\":{\"markdown\":\"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request)\\n - [https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection](https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection)\\n\",\"text\":\"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request\",\"id\":\"java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request\",\"name\":\"java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what\u0027s trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.\"},\"help\":{\"markdown\":\"Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what\u0027s trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what\u0027s trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request\",\"id\":\"java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request\",\"name\":\"java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-501: Trust Boundary Violation\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.\"},\"help\":{\"markdown\":\"Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request\",\"id\":\"java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request\",\"name\":\"java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-643: Improper Neutralization of Data within XPath Expressions (\u0027XPath Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\"},\"help\":{\"markdown\":\"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection\",\"id\":\"java.lang.security.audit.unsafe-reflection.unsafe-reflection\",\"name\":\"java.lang.security.audit.unsafe-reflection.unsafe-reflection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.unsafe-reflection.unsafe-reflection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.\"},\"help\":{\"markdown\":\"Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect\",\"id\":\"java.lang.security.audit.unvalidated-redirect.unvalidated-redirect\",\"name\":\"java.lang.security.audit.unvalidated-redirect.unvalidated-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.unvalidated-redirect.unvalidated-redirect\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties.\"},\"help\":{\"markdown\":\"URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.url-rewriting.url-rewriting)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.url-rewriting.url-rewriting\",\"id\":\"java.lang.security.audit.url-rewriting.url-rewriting\",\"name\":\"java.lang.security.audit.url-rewriting.url-rewriting\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.url-rewriting.url-rewriting\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\\\"TLSv1.2\\\") for the best security.\"},\"help\":{\"markdown\":\"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\\\"TLSv1.2\\\") for the best security.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context)\\n - [https://tools.ietf.org/html/rfc7568](https://tools.ietf.org/html/rfc7568)\\n - [https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html](https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html)\\n\",\"text\":\"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\\\"TLSv1.2\\\") for the best security.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context\",\"id\":\"java.lang.security.audit.weak-ssl-context.weak-ssl-context\",\"name\":\"java.lang.security.audit.weak-ssl-context.weak-ssl-context\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.weak-ssl-context.weak-ssl-context\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.\"},\"help\":{\"markdown\":\"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder\",\"id\":\"java.lang.security.audit.xml-decoder.xml-decoder\",\"name\":\"java.lang.security.audit.xml-decoder.xml-decoder\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"LOW CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xml-decoder.xml-decoder\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove \u0027escape=false\u0027 from this element.\"},\"help\":{\"markdown\":\"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove \u0027escape=false\u0027 from this element.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled)\\n - [https://stackoverflow.com/a/7442668](https://stackoverflow.com/a/7442668)\\n\",\"text\":\"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove \u0027escape=false\u0027 from this element.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled\",\"id\":\"java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled\",\"name\":\"java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences\",\"LOW CONFIDENCE\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\"},\"help\":{\"markdown\":\"Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer)\\n - [https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html](https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html)\\n\",\"text\":\"Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer\",\"id\":\"java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer\",\"name\":\"java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"It looks like you\u0027re using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.\"},\"help\":{\"markdown\":\"It looks like you\u0027re using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"It looks like you\u0027re using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure\",\"id\":\"java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure\",\"name\":\"java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://apache.org/xml/features/disallow-doctype-decl\\\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \\\"http://xml.org/sax/features/external-general-entities\\\" and \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\"},\"help\":{\"markdown\":\"DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://apache.org/xml/features/disallow-doctype-decl\\\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \\\"http://xml.org/sax/features/external-general-entities\\\" and \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\\n\",\"text\":\"DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://apache.org/xml/features/disallow-doctype-decl\\\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \\\"http://xml.org/sax/features/external-general-entities\\\" and \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false\",\"id\":\"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false\",\"name\":\"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://apache.org/xml/features/disallow-doctype-decl\\\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \\\"http://xml.org/sax/features/external-general-entities\\\" and \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\"},\"help\":{\"markdown\":\"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://apache.org/xml/features/disallow-doctype-decl\\\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \\\"http://xml.org/sax/features/external-general-entities\\\" and \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\\n\",\"text\":\"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://apache.org/xml/features/disallow-doctype-decl\\\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \\\"http://xml.org/sax/features/external-general-entities\\\" and \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing\",\"id\":\"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing\",\"name\":\"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://xml.org/sax/features/external-general-entities\\\" to false.\"},\"help\":{\"markdown\":\"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://xml.org/sax/features/external-general-entities\\\" to false.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\\n\",\"text\":\"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://xml.org/sax/features/external-general-entities\\\" to false.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true\",\"id\":\"java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true\",\"name\":\"java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\"},\"help\":{\"markdown\":\"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\\n\",\"text\":\"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true\",\"id\":\"java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true\",\"name\":\"java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.\"},\"help\":{\"markdown\":\"DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\\n\",\"text\":\"DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing\",\"id\":\"java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing\",\"name\":\"java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \\\"accessExternalDTD\\\" and \\\"accessExternalStylesheet\\\" to \\\"\\\".\"},\"help\":{\"markdown\":\"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \\\"accessExternalDTD\\\" and \\\"accessExternalStylesheet\\\" to \\\"\\\".\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\\n\",\"text\":\"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \\\"accessExternalDTD\\\" and \\\"accessExternalStylesheet\\\" to \\\"\\\".\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled\",\"id\":\"java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled\",\"name\":\"java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.\"},\"help\":{\"markdown\":\"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use)\\n - [https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html](https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html)\\n - [https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation](https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation)\\n - [http://phrack.org/papers/escaping_the_java_sandbox.html](http://phrack.org/papers/escaping_the_java_sandbox.html)\\n\",\"text\":\"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use\",\"id\":\"java.lang.security.do-privileged-use.do-privileged-use\",\"name\":\"java.lang.security.do-privileged-use.do-privileged-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-269: Improper Privilege Management\",\"LOW CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.do-privileged-use.do-privileged-use\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\"},\"help\":{\"markdown\":\"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal)\\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\\n\",\"text\":\"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal\",\"id\":\"java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal\",\"name\":\"java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.\"},\"help\":{\"markdown\":\"JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization)\\n - [https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf)\\n\",\"text\":\"JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization\",\"id\":\"java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization\",\"name\":\"java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \\\"Per-class\\\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.\"},\"help\":{\"markdown\":\"When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \\\"Per-class\\\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization)\\n - [https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038](https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038)\\n - [https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\\n - [https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/](https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/)\\n\",\"text\":\"When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \\\"Per-class\\\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization\",\"id\":\"java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization\",\"name\":\"java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A8:2017 Insecure Deserialization\",\"OWASP-A8:2021 Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Cross-site scripting detected in HttpServletResponse writer with variable \u0027$VAR\u0027. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: \u0027Encode.forHtml($VAR)\u0027.\"},\"help\":{\"markdown\":\"Cross-site scripting detected in HttpServletResponse writer with variable \u0027$VAR\u0027. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: \u0027Encode.forHtml($VAR)\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Cross-site scripting detected in HttpServletResponse writer with variable \u0027$VAR\u0027. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: \u0027Encode.forHtml($VAR)\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss\",\"id\":\"java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss\",\"name\":\"java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.\"},\"help\":{\"markdown\":\"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor)\\n - [https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability](https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability)\\n\",\"text\":\"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor\",\"id\":\"java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor\",\"name\":\"java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \\\"javax.xml.stream.isSupportingExternalEntities\\\" to false.\"},\"help\":{\"markdown\":\"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \\\"javax.xml.stream.isSupportingExternalEntities\\\" to false.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\\n\",\"text\":\"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \\\"javax.xml.stream.isSupportingExternalEntities\\\" to false.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled\",\"id\":\"java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled\",\"name\":\"java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"LOW CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \\\"javax.xml.stream.isSupportingExternalEntities\\\" to false.\"},\"help\":{\"markdown\":\"XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \\\"javax.xml.stream.isSupportingExternalEntities\\\" to false.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser)\\n\",\"text\":\"XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \\\"javax.xml.stream.isSupportingExternalEntities\\\" to false.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe\",\"id\":\"java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe\",\"name\":\"java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\"},\"help\":{\"markdown\":\"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization)\\n - [https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/](https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/)\\n\",\"text\":\"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization\",\"id\":\"java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization\",\"name\":\"java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Using an arbitrary object (\u0027$PARAMTYPE $PARAM\u0027) with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\"},\"help\":{\"markdown\":\"Using an arbitrary object (\u0027$PARAMTYPE $PARAM\u0027) with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization)\\n - [https://frohoff.github.io/appseccali-marshalling-pickles/](https://frohoff.github.io/appseccali-marshalling-pickles/)\\n - [https://book.hacktricks.xyz/network-services-pentesting/1099-pentesting-java-rmi](https://book.hacktricks.xyz/network-services-pentesting/1099-pentesting-java-rmi)\\n - [https://youtu.be/t_aw1mDNhzI](https://youtu.be/t_aw1mDNhzI)\\n - [https://github.com/qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)\\n - [https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L303C4-L331](https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L303C4-L331)\\n\",\"text\":\"Using an arbitrary object (\u0027$PARAMTYPE $PARAM\u0027) with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization\",\"id\":\"java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization\",\"name\":\"java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.\"},\"help\":{\"markdown\":\"Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.cookie-issecure-false.cookie-issecure-false)\\n - [https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)](https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean))\\n - [https://owasp.org/www-community/controls/SecureCookieAttribute](https://owasp.org/www-community/controls/SecureCookieAttribute)\\n\",\"text\":\"Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.servlets.security.cookie-issecure-false.cookie-issecure-false\",\"id\":\"java.servlets.security.cookie-issecure-false.cookie-issecure-false\",\"name\":\"java.servlets.security.cookie-issecure-false.cookie-issecure-false\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.servlets.security.cookie-issecure-false.cookie-issecure-false\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\"},\"help\":{\"markdown\":\"A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spel-injection.spel-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.audit.spel-injection.spel-injection\",\"id\":\"java.spring.security.audit.spel-injection.spel-injection\",\"name\":\"java.spring.security.audit.spel-injection.spel-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.audit.spel-injection.spel-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\"},\"help\":{\"markdown\":\"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled)\\n - [https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints)\\n - [https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785](https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785)\\n - [https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators](https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators)\\n\",\"text\":\"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled\",\"id\":\"java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled\",\"name\":\"java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"CSRF protection is disabled for this configuration. This is a security risk.\"},\"help\":{\"markdown\":\"CSRF protection is disabled for this configuration. This is a security risk.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"CSRF protection is disabled for this configuration. This is a security risk.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled\",\"id\":\"java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled\",\"name\":\"java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-352: Cross-Site Request Forgery (CSRF)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\"},\"help\":{\"markdown\":\"A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-jsp-eval.spring-jsp-eval)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.audit.spring-jsp-eval.spring-jsp-eval\",\"id\":\"java.spring.security.audit.spring-jsp-eval.spring-jsp-eval\",\"name\":\"java.spring.security.audit.spring-jsp-eval.spring-jsp-eval\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.audit.spring-jsp-eval.spring-jsp-eval\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\"},\"help\":{\"markdown\":\"Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-sqli.spring-sqli)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.audit.spring-sqli.spring-sqli\",\"id\":\"java.spring.security.audit.spring-sqli.spring-sqli\",\"name\":\"java.spring.security.audit.spring-sqli.spring-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.audit.spring-sqli.spring-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.\"},\"help\":{\"markdown\":\"Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect\",\"id\":\"java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect\",\"name\":\"java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\"},\"help\":{\"markdown\":\"Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path)\\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\\n\",\"text\":\"Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path\",\"id\":\"java.spring.security.injection.tainted-file-path.tainted-file-path\",\"name\":\"java.spring.security.injection.tainted-file-path.tainted-file-path\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-23: Relative Path Traversal\",\"HIGH CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.injection.tainted-file-path.tainted-file-path\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\"},\"help\":{\"markdown\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string\",\"id\":\"java.spring.security.injection.tainted-html-string.tainted-html-string\",\"name\":\"java.spring.security.injection.tainted-html-string.tainted-html-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.injection.tainted-html-string.tainted-html-string\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\"},\"help\":{\"markdown\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string)\\n - [https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html](https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html)\\n\",\"text\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string\",\"id\":\"java.spring.security.injection.tainted-sql-string.tainted-sql-string\",\"name\":\"java.spring.security.injection.tainted-sql-string.tainted-sql-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.injection.tainted-sql-string.tainted-sql-string\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\\\"ls\\\", \\\"-al\\\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can\u0027t run arbitrary commands.\"},\"help\":{\"markdown\":\"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\\\"ls\\\", \\\"-al\\\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can\u0027t run arbitrary commands.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command)\\n - [https://www.stackhawk.com/blog/command-injection-java/](https://www.stackhawk.com/blog/command-injection-java/)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n - [https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java](https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java)\\n\",\"text\":\"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\\\"ls\\\", \\\"-al\\\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can\u0027t run arbitrary commands.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command\",\"id\":\"java.spring.security.injection.tainted-system-command.tainted-system-command\",\"name\":\"java.spring.security.injection.tainted-system-command.tainted-system-command\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.injection.tainted-system-command.tainted-system-command\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.\"},\"help\":{\"markdown\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host\",\"id\":\"java.spring.security.injection.tainted-url-host.tainted-url-host\",\"name\":\"java.spring.security.injection.tainted-url-host.tainted-url-host\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.injection.tainted-url-host.tainted-url-host\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a method annotated with \u0027RequestMapping\u0027 that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the \u0027method\u0027 field and specify the HTTP method (such as \u0027RequestMethod.POST\u0027).\"},\"help\":{\"markdown\":\"Detected a method annotated with \u0027RequestMapping\u0027 that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the \u0027method\u0027 field and specify the HTTP method (such as \u0027RequestMethod.POST\u0027).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping)\\n - [https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING](https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING)\\n\",\"text\":\"Detected a method annotated with \u0027RequestMapping\u0027 that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the \u0027method\u0027 field and specify the HTTP method (such as \u0027RequestMethod.POST\u0027).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping\",\"id\":\"java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping\",\"name\":\"java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-352: Cross-Site Request Forgery (CSRF)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"By setting `allErrors: true` in `Ajv` library, all error objects will be allocated without limit. This allows the attacker to produce a huge number of errors which can lead to denial of service. Do not use `allErrors: true` in production.\"},\"help\":{\"markdown\":\"By setting `allErrors: true` in `Ajv` library, all error objects will be allocated without limit. This allows the attacker to produce a huge number of errors which can lead to denial of service. Do not use `allErrors: true` in production.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true)\\n - [https://ajv.js.org/options.html#allerrors](https://ajv.js.org/options.html#allerrors)\\n\",\"text\":\"By setting `allErrors: true` in `Ajv` library, all error objects will be allocated without limit. This allows the attacker to produce a huge number of errors which can lead to denial of service. Do not use `allErrors: true` in production.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true\",\"id\":\"javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true\",\"name\":\"javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-400: Uncontrolled Resource Consumption\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\"},\"help\":{\"markdown\":\"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods)\\n - [https://docs.angularjs.org/api/ng/function/angular.element](https://docs.angularjs.org/api/ng/function/angular.element)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods\",\"id\":\"javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods\",\"name\":\"javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\"},\"help\":{\"markdown\":\"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint)\\n - [https://docs.angularjs.org/api/ng/function/angular.element](https://docs.angularjs.org/api/ng/function/angular.element)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint\",\"id\":\"javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint\",\"name\":\"javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Use of $window.location.href can lead to open-redirect if user input is used for redirection.\"},\"help\":{\"markdown\":\"Use of $window.location.href can lead to open-redirect if user input is used for redirection.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect)\\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"Use of $window.location.href can lead to open-redirect if user input is used for redirection.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect\",\"id\":\"javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect\",\"name\":\"javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.\"},\"help\":{\"markdown\":\"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading)\\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading\",\"id\":\"javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading\",\"name\":\"javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.\"},\"help\":{\"markdown\":\"$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled)\\n - [https://docs.angularjs.org/api/ng/service/$sce](https://docs.angularjs.org/api/ng/service/$sce)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled\",\"id\":\"javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled\",\"name\":\"javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API.\"},\"help\":{\"markdown\":\"The use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method)\\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsCss](https://docs.angularjs.org/api/ng/service/$sce#trustAsCss)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"The use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method\",\"id\":\"javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method\",\"name\":\"javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.\"},\"help\":{\"markdown\":\"The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method)\\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsHtml](https://docs.angularjs.org/api/ng/service/$sce#trustAsHtml)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method\",\"id\":\"javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method\",\"name\":\"javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API.\"},\"help\":{\"markdown\":\"The use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method)\\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"The use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method\",\"id\":\"javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method\",\"name\":\"javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.\"},\"help\":{\"markdown\":\"The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method)\\n - [https://docs.angularjs.org/api/ng/service/$sce](https://docs.angularjs.org/api/ng/service/$sce)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method\",\"id\":\"javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method\",\"name\":\"javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API.\"},\"help\":{\"markdown\":\"The use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method)\\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsResourceUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsResourceUrl)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"The use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method\",\"id\":\"javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method\",\"name\":\"javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API.\"},\"help\":{\"markdown\":\"The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method)\\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method\",\"id\":\"javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method\",\"name\":\"javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The use of $translateProvider.translations method can be dangerous if user input is provided to this API.\"},\"help\":{\"markdown\":\"The use of $translateProvider.translations method can be dangerous if user input is provided to this API.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method)\\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"The use of $translateProvider.translations method can be dangerous if user input is provided to this API.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method\",\"id\":\"javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method\",\"name\":\"javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.\"},\"help\":{\"markdown\":\"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf)\\n - [https://www.cvedetails.com/cve/CVE-2020-28168/](https://www.cvedetails.com/cve/CVE-2020-28168/)\\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\\n\",\"text\":\"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf\",\"id\":\"javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf\",\"name\":\"javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\"},\"help\":{\"markdown\":\"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\\n - [https://eprint.iacr.org/2016/759.pdf](https://eprint.iacr.org/2016/759.pdf)\\n - [https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf](https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf)\\n - [https://datatracker.ietf.org/doc/html/rfc9106#section-4](https://datatracker.ietf.org/doc/html/rfc9106#section-4)\\n\",\"text\":\"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config\",\"id\":\"javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config\",\"name\":\"javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-916: Use of Password Hash With Insufficient Computational Effort\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it\u0027s better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.\"},\"help\":{\"markdown\":\"Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it\u0027s better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization)\\n - [https://www.npmjs.com/package/dompurify](https://www.npmjs.com/package/dompurify)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it\u0027s better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization\",\"id\":\"javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization\",\"name\":\"javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs.\"},\"help\":{\"markdown\":\"Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.detect-child-process.detect-child-process)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.detect-child-process.detect-child-process\",\"id\":\"javascript.aws-lambda.security.detect-child-process.detect-child-process\",\"name\":\"javascript.aws-lambda.security.detect-child-process.detect-child-process\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.detect-child-process.detect-child-process\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\"},\"help\":{\"markdown\":\"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object\",\"id\":\"javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object\",\"name\":\"javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-943: Improper Neutralization of Special Elements in Data Query Logic\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])`\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.knex-sqli.knex-sqli)\\n - [https://knexjs.org/#Builder-fromRaw](https://knexjs.org/#Builder-fromRaw)\\n - [https://knexjs.org/#Builder-whereRaw](https://knexjs.org/#Builder-whereRaw)\\n\",\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.knex-sqli.knex-sqli\",\"id\":\"javascript.aws-lambda.security.knex-sqli.knex-sqli\",\"name\":\"javascript.aws-lambda.security.knex-sqli.knex-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.knex-sqli.knex-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.mysql-sqli.mysql-sqli)\\n - [https://www.npmjs.com/package/mysql2](https://www.npmjs.com/package/mysql2)\\n\",\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.mysql-sqli.mysql-sqli\",\"id\":\"javascript.aws-lambda.security.mysql-sqli.mysql-sqli\",\"name\":\"javascript.aws-lambda.security.mysql-sqli.mysql-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.mysql-sqli.mysql-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.pg-sqli.pg-sqli)\\n - [https://node-postgres.com/features/queries](https://node-postgres.com/features/queries)\\n\",\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.pg-sqli.pg-sqli\",\"id\":\"javascript.aws-lambda.security.pg-sqli.pg-sqli\",\"name\":\"javascript.aws-lambda.security.pg-sqli.pg-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.pg-sqli.pg-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query(\u0027SELECT * FROM projects WHERE status = ?\u0027, { replacements: [\u0027active\u0027], type: QueryTypes.SELECT });`\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query(\u0027SELECT * FROM projects WHERE status = ?\u0027, { replacements: [\u0027active\u0027], type: QueryTypes.SELECT });`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli)\\n - [https://sequelize.org/master/manual/raw-queries.html](https://sequelize.org/master/manual/raw-queries.html)\\n\",\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query(\u0027SELECT * FROM projects WHERE status = ?\u0027, { replacements: [\u0027active\u0027], type: QueryTypes.SELECT });`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli\",\"id\":\"javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli\",\"name\":\"javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources.\"},\"help\":{\"markdown\":\"The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.tainted-eval.tainted-eval)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.tainted-eval.tainted-eval\",\"id\":\"javascript.aws-lambda.security.tainted-eval.tainted-eval\",\"name\":\"javascript.aws-lambda.security.tainted-eval.tainted-eval\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.tainted-eval.tainted-eval\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\"},\"help\":{\"markdown\":\"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-response.tainted-html-response)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-response.tainted-html-response\",\"id\":\"javascript.aws-lambda.security.tainted-html-response.tainted-html-response\",\"name\":\"javascript.aws-lambda.security.tainted-html-response.tainted-html-response\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.tainted-html-response.tainted-html-response\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\"},\"help\":{\"markdown\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-string.tainted-html-string)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-string.tainted-html-string\",\"id\":\"javascript.aws-lambda.security.tainted-html-string.tainted-html-string\",\"name\":\"javascript.aws-lambda.security.tainted-html-string.tainted-html-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.tainted-html-string.tainted-html-string\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions.\"},\"help\":{\"markdown\":\"The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection\",\"id\":\"javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection\",\"name\":\"javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Potential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval()\"},\"help\":{\"markdown\":\"Potential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval()\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution)\\n - [http://bluebirdjs.com/docs/getting-started.html](http://bluebirdjs.com/docs/getting-started.html)\\n\",\"text\":\"Potential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval()\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution\",\"id\":\"javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution\",\"name\":\"javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.\"},\"help\":{\"markdown\":\"Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss)\\n - [https://owasp.org/www-community/attacks/DOM_Based_XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS)\\n\",\"text\":\"Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss\",\"id\":\"javascript.browser.security.dom-based-xss.dom-based-xss\",\"name\":\"javascript.browser.security.dom-based-xss.dom-based-xss\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.browser.security.dom-based-xss.dom-based-xss\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\"},\"help\":{\"markdown\":\"Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.eval-detected.eval-detected)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.browser.security.eval-detected.eval-detected\",\"id\":\"javascript.browser.security.eval-detected.eval-detected\",\"name\":\"javascript.browser.security.eval-detected.eval-detected\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.browser.security.eval-detected.eval-detected\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities\"},\"help\":{\"markdown\":\"User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.insecure-document-method.insecure-document-method)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.browser.security.insecure-document-method.insecure-document-method\",\"id\":\"javascript.browser.security.insecure-document-method.insecure-document-method\",\"name\":\"javascript.browser.security.insecure-document-method.insecure-document-method\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.browser.security.insecure-document-method.insecure-document-method\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"No validation of origin is done by the addEventListener API. It may be possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site Scripting(XSS).\"},\"help\":{\"markdown\":\"No validation of origin is done by the addEventListener API. It may be possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site Scripting(XSS).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation)\\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\\n\",\"text\":\"No validation of origin is done by the addEventListener API. It may be possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site Scripting(XSS).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation\",\"id\":\"javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation\",\"name\":\"javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-345: Insufficient Verification of Data Authenticity\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.\"},\"help\":{\"markdown\":\"The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.open-redirect.js-open-redirect)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\\n\",\"text\":\"The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.browser.security.open-redirect.js-open-redirect\",\"id\":\"javascript.browser.security.open-redirect.js-open-redirect\",\"name\":\"javascript.browser.security.open-redirect.js-open-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.browser.security.open-redirect.js-open-redirect\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User controlled data in a HTML string may result in XSS\"},\"help\":{\"markdown\":\"User controlled data in a HTML string may result in XSS\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat)\\n - [https://owasp.org/www-community/attacks/xss/](https://owasp.org/www-community/attacks/xss/)\\n\",\"text\":\"User controlled data in a HTML string may result in XSS\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat\",\"id\":\"javascript.browser.security.raw-html-concat.raw-html-concat\",\"name\":\"javascript.browser.security.raw-html-concat.raw-html-concat\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.browser.security.raw-html-concat.raw-html-concat\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The target origin of the window.postMessage() API is set to \\\"*\\\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message.\"},\"help\":{\"markdown\":\"The target origin of the window.postMessage() API is set to \\\"*\\\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration)\\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\\n\",\"text\":\"The target origin of the window.postMessage() API is set to \\\"*\\\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration\",\"id\":\"javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration\",\"name\":\"javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-345: Insufficient Verification of Data Authenticity\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection)\\n - [https://github.com/cyrus-and/chrome-remote-interface](https://github.com/cyrus-and/chrome-remote-interface)\\n\",\"text\":\"If unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection\",\"id\":\"javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection\",\"name\":\"javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\"},\"help\":{\"markdown\":\"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run)\\n - [https://deno.land/manual/examples/subprocess#simple-example](https://deno.land/manual/examples/subprocess#simple-example)\\n\",\"text\":\"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run\",\"id\":\"javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run\",\"name\":\"javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.\"},\"help\":{\"markdown\":\"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage)\\n - [https://www.npmjs.com/package/csurf](https://www.npmjs.com/package/csurf)\\n - [https://www.npmjs.com/package/csrf](https://www.npmjs.com/package/csrf)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage\",\"id\":\"javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage\",\"name\":\"javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-352: Cross-Site Request Forgery (CSRF)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\"},\"help\":{\"markdown\":\"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing)\\n - [https://www.npmjs.com/package/serve-index](https://www.npmjs.com/package/serve-index)\\n - [https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/](https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/)\\n\",\"text\":\"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing\",\"id\":\"javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing\",\"name\":\"javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-548: Exposure of Information Through Directory Listing\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Don\u2019t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.\"},\"help\":{\"markdown\":\"Don\u2019t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Don\u2019t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name\",\"id\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name\",\"name\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.\"},\"help\":{\"markdown\":\"Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain\",\"id\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain\",\"name\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.\"},\"help\":{\"markdown\":\"Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires\",\"id\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires\",\"name\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.\"},\"help\":{\"markdown\":\"Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly\",\"id\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly\",\"name\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.\"},\"help\":{\"markdown\":\"Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path\",\"id\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path\",\"name\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.\"},\"help\":{\"markdown\":\"Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure\",\"id\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure\",\"name\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function.\"},\"help\":{\"markdown\":\"Detected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage)\\n - [https://github.com/mmckegg/notevil](https://github.com/mmckegg/notevil)\\n\",\"text\":\"Detected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage\",\"id\":\"javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage\",\"name\":\"javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1104: Use of Unmaintained Third Party Components\",\"LOW CONFIDENCE\",\"OWASP-A06:2021 - Vulnerable and Outdated Components\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\"},\"help\":{\"markdown\":\"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked\",\"id\":\"javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked\",\"name\":\"javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected.\"},\"help\":{\"markdown\":\"The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-libxml-noent.express-libxml-noent)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-libxml-noent.express-libxml-noent\",\"id\":\"javascript.express.security.audit.express-libxml-noent.express-libxml-noent\",\"name\":\"javascript.express.security.audit.express-libxml-noent.express-libxml-noent\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-libxml-noent.express-libxml-noent\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected use of parseXml() function with the `noent` field set to `true`. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it.\"},\"help\":{\"markdown\":\"Detected use of parseXml() function with the `noent` field set to `true`. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Detected use of parseXml() function with the `noent` field set to `true`. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent\",\"id\":\"javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent\",\"name\":\"javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"LOW CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.\"},\"help\":{\"markdown\":\"The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-open-redirect.express-open-redirect)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\\n\",\"text\":\"The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-open-redirect.express-open-redirect\",\"id\":\"javascript.express.security.audit.express-open-redirect.express-open-redirect\",\"name\":\"javascript.express.security.audit.express-open-redirect.express-open-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-open-redirect.express-open-redirect\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Possible writing outside of the destination, make sure that the target path is nested in the intended destination\"},\"help\":{\"markdown\":\"Possible writing outside of the destination, make sure that the target path is nested in the intended destination\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal)\\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\\n\",\"text\":\"Possible writing outside of the destination, make sure that the target path is nested in the intended destination\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal\",\"id\":\"javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal\",\"name\":\"javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.\"},\"help\":{\"markdown\":\"The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)\\n\",\"text\":\"The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile\",\"id\":\"javascript.express.security.audit.express-res-sendfile.express-res-sendfile\",\"name\":\"javascript.express.security.audit.express-res-sendfile.express-res-sendfile\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-73: External Control of File Name or Path\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-res-sendfile.express-res-sendfile\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\"},\"help\":{\"markdown\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\\n\",\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret\",\"id\":\"javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret\",\"name\":\"javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"HIGH CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \"},\"help\":{\"markdown\":\"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf\",\"id\":\"javascript.express.security.audit.express-ssrf.express-ssrf\",\"name\":\"javascript.express.security.audit.express-ssrf.express-ssrf\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-ssrf.express-ssrf\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().\"},\"help\":{\"markdown\":\"The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)\\n\",\"text\":\"The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization\",\"id\":\"javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization\",\"name\":\"javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"HIGH CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\"},\"help\":{\"markdown\":\"Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event)\\n - [https://www.npmjs.com/package/xml2json](https://www.npmjs.com/package/xml2json)\\n\",\"text\":\"Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event\",\"id\":\"javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event\",\"name\":\"javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it\u0027s prototype. Use literal values for object properties.\"},\"help\":{\"markdown\":\"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it\u0027s prototype. Use literal values for object properties.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection)\\n - [https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\\n\",\"text\":\"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it\u0027s prototype. Use literal values for object properties.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection\",\"id\":\"javascript.express.security.audit.remote-property-injection.remote-property-injection\",\"name\":\"javascript.express.security.audit.remote-property-injection.remote-property-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"LOW CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.remote-property-injection.remote-property-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User controllable data `$REQ` enters `$RES.render(...)` this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be loaded in $RES.render or use an allow list for the existing application.\"},\"help\":{\"markdown\":\"User controllable data `$REQ` enters `$RES.render(...)` this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be loaded in $RES.render or use an allow list for the existing application.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.res-render-injection.res-render-injection)\\n - [http://expressjs.com/en/4x/api.html#res.render](http://expressjs.com/en/4x/api.html#res.render)\\n\",\"text\":\"User controllable data `$REQ` enters `$RES.render(...)` this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be loaded in $RES.render or use an allow list for the existing application.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.res-render-injection.res-render-injection\",\"id\":\"javascript.express.security.audit.res-render-injection.res-render-injection\",\"name\":\"javascript.express.security.audit.res-render-injection.res-render-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-706: Use of Incorrectly-Resolved Name or Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.res-render-injection.res-render-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use \u0027resp.render()\u0027 to render safely escaped HTML.\"},\"help\":{\"markdown\":\"Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use \u0027resp.render()\u0027 to render safely escaped HTML.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.direct-response-write.direct-response-write)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use \u0027resp.render()\u0027 to render safely escaped HTML.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.direct-response-write.direct-response-write\",\"id\":\"javascript.express.security.audit.xss.direct-response-write.direct-response-write\",\"name\":\"javascript.express.security.audit.xss.direct-response-write.direct-response-write\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.direct-response-write.direct-response-write\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an explicit unescape in an EJS template, using \u0027\u003c%- ... %\u003e\u0027 If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use \u0027\u003c%= ... %\u003e\u0027 to escape this data. If you need escaping, ensure no external data can reach this location.\"},\"help\":{\"markdown\":\"Detected an explicit unescape in an EJS template, using \u0027\u003c%- ... %\u003e\u0027 If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use \u0027\u003c%= ... %\u003e\u0027 to escape this data. If you need escaping, ensure no external data can reach this location.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape)\\n - [http://www.managerjs.com/blog/2015/05/will-ejs-escape-save-me-from-xss-sorta/](http://www.managerjs.com/blog/2015/05/will-ejs-escape-save-me-from-xss-sorta/)\\n\",\"text\":\"Detected an explicit unescape in an EJS template, using \u0027\u003c%- ... %\u003e\u0027 If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use \u0027\u003c%= ... %\u003e\u0027 to escape this data. If you need escaping, ensure no external data can reach this location.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape\",\"id\":\"javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape\",\"name\":\"javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a template variable used as the \u0027src\u0027 in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the \u0027src\u0027 attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.\"},\"help\":{\"markdown\":\"Detected a template variable used as the \u0027src\u0027 in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the \u0027src\u0027 attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src)\\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\\n - [https://github.com/ESAPI/owasp-esapi-js](https://github.com/ESAPI/owasp-esapi-js)\\n\",\"text\":\"Detected a template variable used as the \u0027src\u0027 in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the \u0027src\u0027 attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src\",\"id\":\"javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src\",\"name\":\"javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\"},\"help\":{\"markdown\":\"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag)\\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\\n - [https://github.com/ESAPI/owasp-esapi-js](https://github.com/ESAPI/owasp-esapi-js)\\n\",\"text\":\"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag\",\"id\":\"javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag\",\"name\":\"javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: \u0027{{{ ... }}}\u0027.\"},\"help\":{\"markdown\":\"The Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: \u0027{{{ ... }}}\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite)\\n - [https://github.com/janl/mustache.js/#variables](https://github.com/janl/mustache.js/#variables)\\n\",\"text\":\"The Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: \u0027{{{ ... }}}\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite\",\"id\":\"javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite\",\"name\":\"javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an explicit unescape in a Mustache template, using triple braces \u0027{{{...}}}\u0027 or ampersand \u0027\u0026\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\"},\"help\":{\"markdown\":\"Detected an explicit unescape in a Mustache template, using triple braces \u0027{{{...}}}\u0027 or ampersand \u0027\u0026\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape)\\n - [https://github.com/janl/mustache.js/#variables](https://github.com/janl/mustache.js/#variables)\\n - [https://ractive.js.org/v0.x/0.7/mustaches#variables](https://ractive.js.org/v0.x/0.7/mustaches#variables)\\n\",\"text\":\"Detected an explicit unescape in a Mustache template, using triple braces \u0027{{{...}}}\u0027 or ampersand \u0027\u0026\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape\",\"id\":\"javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape\",\"name\":\"javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a unescaped variables using \u0027\u0026attributes\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\"},\"help\":{\"markdown\":\"Detected a unescaped variables using \u0027\u0026attributes\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes)\\n - [https://pugjs.org/language/attributes.html#attributes](https://pugjs.org/language/attributes.html#attributes)\\n\",\"text\":\"Detected a unescaped variables using \u0027\u0026attributes\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes\",\"id\":\"javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes\",\"name\":\"javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an explicit unescape in a Pug template, using either \u0027!=\u0027 or \u0027!{...}\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\"},\"help\":{\"markdown\":\"Detected an explicit unescape in a Pug template, using either \u0027!=\u0027 or \u0027!{...}\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape)\\n - [https://pugjs.org/language/code.html#unescaped-buffered-code](https://pugjs.org/language/code.html#unescaped-buffered-code)\\n - [https://pugjs.org/language/attributes.html#unescaped-attributes](https://pugjs.org/language/attributes.html#unescaped-attributes)\\n\",\"text\":\"Detected an explicit unescape in a Pug template, using either \u0027!=\u0027 or \u0027!{...}\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape\",\"id\":\"javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape\",\"name\":\"javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: a(href=\u0027/\u0027+url). You may also consider setting the Content Security Policy (CSP) header.\"},\"help\":{\"markdown\":\"Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: a(href=\u0027/\u0027+url). You may also consider setting the Content Security Policy (CSP) header.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.pug.var-in-href.var-in-href)\\n - [https://github.com/pugjs/pug/issues/2952](https://github.com/pugjs/pug/issues/2952)\\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI)\\n\",\"text\":\"Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: a(href=\u0027/\u0027+url). You may also consider setting the Content Security Policy (CSP) header.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.pug.var-in-href.var-in-href\",\"id\":\"javascript.express.security.audit.xss.pug.var-in-href.var-in-href\",\"name\":\"javascript.express.security.audit.xss.pug.var-in-href.var-in-href\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.pug.var-in-href.var-in-href\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\"},\"help\":{\"markdown\":\"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag)\\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\\n - [https://github.com/ESAPI/owasp-esapi-js](https://github.com/ESAPI/owasp-esapi-js)\\n\",\"text\":\"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag\",\"id\":\"javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag\",\"name\":\"javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.\"},\"help\":{\"markdown\":\"By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.cors-misconfiguration.cors-misconfiguration)\\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)\\n\",\"text\":\"By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.cors-misconfiguration.cors-misconfiguration\",\"id\":\"javascript.express.security.cors-misconfiguration.cors-misconfiguration\",\"name\":\"javascript.express.security.cors-misconfiguration.cors-misconfiguration\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-346: Origin Validation Error\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.cors-misconfiguration.cors-misconfiguration\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\"},\"help\":{\"markdown\":\"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-data-exfiltration.express-data-exfiltration)\\n - [https://en.wikipedia.org/wiki/Mass_assignment_vulnerability](https://en.wikipedia.org/wiki/Mass_assignment_vulnerability)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\\n\",\"text\":\"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-data-exfiltration.express-data-exfiltration\",\"id\":\"javascript.express.security.express-data-exfiltration.express-data-exfiltration\",\"name\":\"javascript.express.security.express-data-exfiltration.express-data-exfiltration\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-data-exfiltration.express-data-exfiltration\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.\"},\"help\":{\"markdown\":\"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe)\\n - [https://github.com/astro/node-expat](https://github.com/astro/node-expat)\\n\",\"text\":\"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe\",\"id\":\"javascript.express.security.express-expat-xxe.express-expat-xxe\",\"name\":\"javascript.express.security.express-expat-xxe.express-expat-xxe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-expat-xxe.express-expat-xxe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.\"},\"help\":{\"markdown\":\"User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-insecure-template-usage.express-insecure-template-usage)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-insecure-template-usage.express-insecure-template-usage\",\"id\":\"javascript.express.security.express-insecure-template-usage.express-insecure-template-usage\",\"name\":\"javascript.express.security.express-insecure-template-usage.express-insecure-template-usage\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-insecure-template-usage.express-insecure-template-usage\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\"},\"help\":{\"markdown\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\\n\",\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret\",\"id\":\"javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret\",\"name\":\"javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"HIGH CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-phantom-injection.express-phantom-injection)\\n - [https://phantomjs.org/page-automation.html](https://phantomjs.org/page-automation.html)\\n\",\"text\":\"If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-phantom-injection.express-phantom-injection\",\"id\":\"javascript.express.security.express-phantom-injection.express-phantom-injection\",\"name\":\"javascript.express.security.express-phantom-injection.express-phantom-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-phantom-injection.express-phantom-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-puppeteer-injection.express-puppeteer-injection)\\n - [https://pptr.dev/api/puppeteer.page](https://pptr.dev/api/puppeteer.page)\\n\",\"text\":\"If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-puppeteer-injection.express-puppeteer-injection\",\"id\":\"javascript.express.security.express-puppeteer-injection.express-puppeteer-injection\",\"name\":\"javascript.express.security.express-puppeteer-injection.express-puppeteer-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-puppeteer-injection.express-puppeteer-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Make sure that unverified user data can not reach `sandbox`.\"},\"help\":{\"markdown\":\"Make sure that unverified user data can not reach `sandbox`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-sandbox-injection.express-sandbox-code-injection)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Make sure that unverified user data can not reach `sandbox`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-sandbox-injection.express-sandbox-code-injection\",\"id\":\"javascript.express.security.express-sandbox-injection.express-sandbox-code-injection\",\"name\":\"javascript.express.security.express-sandbox-injection.express-sandbox-code-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-sandbox-injection.express-sandbox-code-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Make sure that unverified user data can not reach `$VM`.\"},\"help\":{\"markdown\":\"Make sure that unverified user data can not reach `$VM`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-vm-injection.express-vm-injection)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Make sure that unverified user data can not reach `$VM`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-vm-injection.express-vm-injection\",\"id\":\"javascript.express.security.express-vm-injection.express-vm-injection\",\"name\":\"javascript.express.security.express-vm-injection.express-vm-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-vm-injection.express-vm-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Make sure that unverified user data can not reach `vm2`.\"},\"help\":{\"markdown\":\"Make sure that unverified user data can not reach `vm2`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Make sure that unverified user data can not reach `vm2`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection\",\"id\":\"javascript.express.security.express-vm2-injection.express-vm2-injection\",\"name\":\"javascript.express.security.express-vm2-injection.express-vm2-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-vm2-injection.express-vm2-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection)\\n - [https://www.npmjs.com/package/wkhtmltopdf](https://www.npmjs.com/package/wkhtmltopdf)\\n\",\"text\":\"If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection\",\"id\":\"javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection\",\"name\":\"javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `wkhtmltopdf` methods it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `wkhtmltopdf` methods it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection)\\n - [https://www.npmjs.com/package/wkhtmltopdf](https://www.npmjs.com/package/wkhtmltopdf)\\n\",\"text\":\"If unverified user data can reach the `wkhtmltopdf` methods it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection\",\"id\":\"javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection\",\"name\":\"javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\"},\"help\":{\"markdown\":\"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe)\\n - [https://www.npmjs.com/package/xml2json](https://www.npmjs.com/package/xml2json)\\n\",\"text\":\"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe\",\"id\":\"javascript.express.security.express-xml2json-xxe.express-xml2json-xxe\",\"name\":\"javascript.express.security.express-xml2json-xxe.express-xml2json-xxe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-xml2json-xxe.express-xml2json-xxe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.\"},\"help\":{\"markdown\":\"User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.injection.raw-html-format.raw-html-format)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.injection.raw-html-format.raw-html-format\",\"id\":\"javascript.express.security.injection.raw-html-format.raw-html-format\",\"name\":\"javascript.express.security.injection.raw-html-format.raw-html-format\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.injection.raw-html-format.raw-html-format\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\"},\"help\":{\"markdown\":\"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.require-request.require-request)\\n - [https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it](https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it)\\n\",\"text\":\"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.require-request.require-request\",\"id\":\"javascript.express.security.require-request.require-request\",\"name\":\"javascript.express.security.require-request.require-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-706: Use of Incorrectly-Resolved Name or Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.require-request.require-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`.\"},\"help\":{\"markdown\":\"By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration)\\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)\\n\",\"text\":\"By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration\",\"id\":\"javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration\",\"name\":\"javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-451: User Interface (UI) Misrepresentation of Critical Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities\"},\"help\":{\"markdown\":\"User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup\",\"id\":\"javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup\",\"name\":\"javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.\"},\"help\":{\"markdown\":\"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection)\\n - [https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security](https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security)\\n\",\"text\":\"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection\",\"id\":\"javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection\",\"name\":\"javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile\"},\"help\":{\"markdown\":\"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash)\\n - [https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile](https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile)\\n\",\"text\":\"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash\",\"id\":\"javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash\",\"name\":\"javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-287: Improper Authentication\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\"},\"help\":{\"markdown\":\"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data\",\"id\":\"javascript.jose.security.audit.jose-exposed-data.jose-exposed-data\",\"name\":\"javascript.jose.security.audit.jose-exposed-data.jose-exposed-data\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"LOW CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.jose.security.audit.jose-exposed-data.jose-exposed-data\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\"},\"help\":{\"markdown\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\\n\",\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret\",\"id\":\"javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret\",\"name\":\"javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"HIGH CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\"},\"help\":{\"markdown\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg\",\"id\":\"javascript.jose.security.jwt-none-alg.jwt-none-alg\",\"name\":\"javascript.jose.security.jwt-none-alg.jwt-none-alg\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.jose.security.jwt-none-alg.jwt-none-alg\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\"},\"help\":{\"markdown\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify)\\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\\n\",\"text\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify\",\"id\":\"javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify\",\"name\":\"javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-345: Insufficient Verification of Data Authenticity\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\"},\"help\":{\"markdown\":\"The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data\",\"id\":\"javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data\",\"name\":\"javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"LOW CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\"},\"help\":{\"markdown\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\\n\",\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret\",\"id\":\"javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret\",\"name\":\"javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"HIGH CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\"},\"help\":{\"markdown\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg\",\"id\":\"javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg\",\"name\":\"javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set \u0027verify\u0027 to `true` before using the token.\"},\"help\":{\"markdown\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set \u0027verify\u0027 to `true` before using the token.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify)\\n - [https://www.npmjs.com/package/jwt-simple](https://www.npmjs.com/package/jwt-simple)\\n - [https://cwe.mitre.org/data/definitions/287](https://cwe.mitre.org/data/definitions/287)\\n - [https://cwe.mitre.org/data/definitions/345](https://cwe.mitre.org/data/definitions/345)\\n - [https://cwe.mitre.org/data/definitions/347](https://cwe.mitre.org/data/definitions/347)\\n\",\"text\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set \u0027verify\u0027 to `true` before using the token.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify\",\"id\":\"javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify\",\"name\":\"javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-287: Improper Authentication\",\"CWE-345: Insufficient Verification of Data Authenticity\",\"CWE-347: Improper Verification of Cryptographic Signature\",\"HIGH CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.\"},\"help\":{\"markdown\":\"Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.code-string-concat.code-string-concat)\\n - [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval)\\n - [https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback](https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback)\\n - [https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/](https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/)\\n - [https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html](https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html)\\n\",\"text\":\"Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.code-string-concat.code-string-concat\",\"id\":\"javascript.lang.security.audit.code-string-concat.code-string-concat\",\"name\":\"javascript.lang.security.audit.code-string-concat.code-string-concat\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.code-string-concat.code-string-concat\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.\"},\"help\":{\"markdown\":\"Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions)\\n\",\"text\":\"Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell\",\"id\":\"javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell\",\"name\":\"javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.\"},\"help\":{\"markdown\":\"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp)\\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\\n\",\"text\":\"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp\",\"id\":\"javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp\",\"name\":\"javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1333: Inefficient Regular Expression Complexity\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.\"},\"help\":{\"markdown\":\"Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key)\\n - [https://rules.sonarsource.com/javascript/RSPEC-2068](https://rules.sonarsource.com/javascript/RSPEC-2068)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#key-management](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#key-management)\\n\",\"text\":\"Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key\",\"id\":\"javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key\",\"name\":\"javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"`$STR.replace` method will only replace the first occurrence when used with a string argument ($CHAR). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.\"},\"help\":{\"markdown\":\"`$STR.replace` method will only replace the first occurrence when used with a string argument ($CHAR). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"`$STR.replace` method will only replace the first occurrence when used with a string argument ($CHAR). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization\",\"id\":\"javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization\",\"name\":\"javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-116: Improper Encoding or Escaping of Output\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` node.js package.\"},\"help\":{\"markdown\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` node.js package.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.md5-used-as-password.md5-used-as-password)\\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\\n - [https://www.npmjs.com/package/bcrypt](https://www.npmjs.com/package/bcrypt)\\n\",\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` node.js package.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"id\":\"javascript.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"name\":\"javascript.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.md5-used-as-password.md5-used-as-password\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.\"},\"help\":{\"markdown\":\"Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal)\\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\\n\",\"text\":\"Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal\",\"id\":\"javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal\",\"name\":\"javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.\"},\"help\":{\"markdown\":\"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop)\\n - [https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\\n\",\"text\":\"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop\",\"id\":\"javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop\",\"name\":\"javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found \u0027$SPAWN\u0027 with \u0027{shell: $SHELL}\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027{shell: false}\u0027 instead.\"},\"help\":{\"markdown\":\"Found \u0027$SPAWN\u0027 with \u0027{shell: $SHELL}\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027{shell: false}\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.spawn-shell-true.spawn-shell-true)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Found \u0027$SPAWN\u0027 with \u0027{shell: $SHELL}\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027{shell: false}\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.spawn-shell-true.spawn-shell-true\",\"id\":\"javascript.lang.security.audit.spawn-shell-true.spawn-shell-true\",\"name\":\"javascript.lang.security.audit.spawn-shell-true.spawn-shell-true\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.spawn-shell-true.spawn-shell-true\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])` can help prevent SQLi.\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])` can help prevent SQLi.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli)\\n - [https://knexjs.org/#Builder-fromRaw](https://knexjs.org/#Builder-fromRaw)\\n - [https://knexjs.org/#Builder-whereRaw](https://knexjs.org/#Builder-whereRaw)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])` can help prevent SQLi.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli\",\"id\":\"javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli\",\"name\":\"javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input(\u0027USER_ID\u0027, mssql.Int, id);`\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input(\u0027USER_ID\u0027, mssql.Int, id);`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli)\\n - [https://www.npmjs.com/package/mssql](https://www.npmjs.com/package/mssql)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input(\u0027USER_ID\u0027, mssql.Int, id);`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli\",\"id\":\"javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli\",\"name\":\"javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\"},\"help\":{\"markdown\":\"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli)\\n - [https://www.npmjs.com/package/mysql2](https://www.npmjs.com/package/mysql2)\\n - [https://www.npmjs.com/package/mysql](https://www.npmjs.com/package/mysql)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli\",\"id\":\"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli\",\"name\":\"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a node-postgres JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `client.query(\u0027SELECT $1 from table\u0027, [userinput])`\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a node-postgres JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `client.query(\u0027SELECT $1 from table\u0027, [userinput])`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli)\\n - [https://node-postgres.com/features/queries](https://node-postgres.com/features/queries)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a node-postgres JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `client.query(\u0027SELECT $1 from table\u0027, [userinput])`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli\",\"id\":\"javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli\",\"name\":\"javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Cannot determine what \u0027$UNK\u0027 is and it is used with a \u0027\u003cscript\u003e\u0027 tag. This could be susceptible to cross-site scripting (XSS). Ensure \u0027$UNK\u0027 is not externally controlled, or sanitize this data.\"},\"help\":{\"markdown\":\"Cannot determine what \u0027$UNK\u0027 is and it is used with a \u0027\u003cscript\u003e\u0027 tag. This could be susceptible to cross-site scripting (XSS). Ensure \u0027$UNK\u0027 is not externally controlled, or sanitize this data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag)\\n - [https://www.developsec.com/2017/11/09/xss-in-a-script-tag/](https://www.developsec.com/2017/11/09/xss-in-a-script-tag/)\\n - [https://github.com/juice-shop/juice-shop/blob/1ceb8751e986dacd3214a618c37e7411be6bc11a/routes/videoHandler.ts#L68](https://github.com/juice-shop/juice-shop/blob/1ceb8751e986dacd3214a618c37e7411be6bc11a/routes/videoHandler.ts#L68)\\n\",\"text\":\"Cannot determine what \u0027$UNK\u0027 is and it is used with a \u0027\u003cscript\u003e\u0027 tag. This could be susceptible to cross-site scripting (XSS). Ensure \u0027$UNK\u0027 is not externally controlled, or sanitize this data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag\",\"id\":\"javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag\",\"name\":\"javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring)\\n - [https://cwe.mitre.org/data/definitions/134.html](https://cwe.mitre.org/data/definitions/134.html)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring\",\"id\":\"javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring\",\"name\":\"javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-134: Use of Externally-Controlled Format String\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.\"},\"help\":{\"markdown\":\"Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert)\\n - [https://cwe.mitre.org/data/definitions/119.html](https://cwe.mitre.org/data/definitions/119.html)\\n\",\"text\":\"Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert\",\"id\":\"javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert\",\"name\":\"javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. \"},\"help\":{\"markdown\":\"Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. \\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-child-process.detect-child-process)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions)\\n\",\"text\":\"Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. \\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.detect-child-process.detect-child-process\",\"id\":\"javascript.lang.security.detect-child-process.detect-child-process\",\"name\":\"javascript.lang.security.detect-child-process.detect-child-process\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.detect-child-process.detect-child-process\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.\"},\"help\":{\"markdown\":\"Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape\",\"id\":\"javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape\",\"name\":\"javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-116: Improper Encoding or Escaping of Output\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\"},\"help\":{\"markdown\":\"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression)\\n - [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)\\n\",\"text\":\"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression\",\"id\":\"javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression\",\"name\":\"javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.\"},\"help\":{\"markdown\":\"Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket\",\"id\":\"javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket\",\"name\":\"javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.\"},\"help\":{\"markdown\":\"Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override)\\n - [https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/bypass-connect-csrf-protection-by-abusing.md](https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/bypass-connect-csrf-protection-by-abusing.md)\\n\",\"text\":\"Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override\",\"id\":\"javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override\",\"name\":\"javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-352: Cross-Site Request Forgery (CSRF)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.\"},\"help\":{\"markdown\":\"Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes\",\"id\":\"javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes\",\"name\":\"javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\"},\"help\":{\"markdown\":\"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\\n - [https://en.wikipedia.org/wiki/Mass_assignment_vulnerability](https://en.wikipedia.org/wiki/Mass_assignment_vulnerability)\\n\",\"text\":\"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign\",\"id\":\"javascript.lang.security.insecure-object-assign.insecure-object-assign\",\"name\":\"javascript.lang.security.insecure-object-assign.insecure-object-assign\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.insecure-object-assign.insecure-object-assign\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone \u0027ext::sh -c whoami% \u003e\u00262\u0027 will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.\"},\"help\":{\"markdown\":\"Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone \u0027ext::sh -c whoami% \u003e\u00262\u0027 will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.spawn-git-clone.spawn-git-clone)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone \u0027ext::sh -c whoami% \u003e\u00262\u0027 will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.spawn-git-clone.spawn-git-clone\",\"id\":\"javascript.lang.security.spawn-git-clone.spawn-git-clone\",\"name\":\"javascript.lang.security.spawn-git-clone.spawn-git-clone\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.spawn-git-clone.spawn-git-clone\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input.\"},\"help\":{\"markdown\":\"If user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport)\\n - [https://github.com/microsoft/monaco-editor/issues/801](https://github.com/microsoft/monaco-editor/issues/801)\\n\",\"text\":\"If user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport\",\"id\":\"javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport\",\"name\":\"javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The \u0027final\u0027 call of a Decipher object checks the authentication tag in a mode for authenticated encryption. Failing to call \u0027final\u0027 will invalidate all integrity guarantees of the released ciphertext.\"},\"help\":{\"markdown\":\"The \u0027final\u0027 call of a Decipher object checks the authentication tag in a mode for authenticated encryption. Failing to call \u0027final\u0027 will invalidate all integrity guarantees of the released ciphertext.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.aead-no-final.aead-no-final)\\n - [https://nodejs.org/api/crypto.html#deciphersetauthtagbuffer-encoding](https://nodejs.org/api/crypto.html#deciphersetauthtagbuffer-encoding)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\\n\",\"text\":\"The \u0027final\u0027 call of a Decipher object checks the authentication tag in a mode for authenticated encryption. Failing to call \u0027final\u0027 will invalidate all integrity guarantees of the released ciphertext.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.node-crypto.security.aead-no-final.aead-no-final\",\"id\":\"javascript.node-crypto.security.aead-no-final.aead-no-final\",\"name\":\"javascript.node-crypto.security.aead-no-final.aead-no-final\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-310: CWE CATEGORY: Cryptographic Issues\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.node-crypto.security.aead-no-final.aead-no-final\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The deprecated functions \u0027createCipher\u0027 and \u0027createDecipher\u0027 generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they\u0027re not completely broken. Use \u0027createCipheriv\u0027 or \u0027createDecipheriv\u0027 instead.\"},\"help\":{\"markdown\":\"The deprecated functions \u0027createCipher\u0027 and \u0027createDecipher\u0027 generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they\u0027re not completely broken. Use \u0027createCipheriv\u0027 or \u0027createDecipheriv\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv)\\n - [https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options)\\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options)\\n\",\"text\":\"The deprecated functions \u0027createCipher\u0027 and \u0027createDecipher\u0027 generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they\u0027re not completely broken. Use \u0027createCipheriv\u0027 or \u0027createDecipheriv\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv\",\"id\":\"javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv\",\"name\":\"javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1204: Generation of Weak Initialization Vector (IV)\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The call to \u0027createDecipheriv\u0027 with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.\"},\"help\":{\"markdown\":\"The call to \u0027createDecipheriv\u0027 with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length)\\n - [https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/](https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/)\\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options](https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\\n\",\"text\":\"The call to \u0027createDecipheriv\u0027 with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length\",\"id\":\"javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length\",\"name\":\"javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-310: CWE CATEGORY: Cryptographic Issues\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe)\\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\\n\",\"text\":\"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe\",\"id\":\"javascript.node-expat.security.audit.expat-xxe.expat-xxe\",\"name\":\"javascript.node-expat.security.audit.expat-xxe.expat-xxe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"LOW CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.node-expat.security.audit.expat-xxe.expat-xxe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\"},\"help\":{\"markdown\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\\n\",\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret\",\"id\":\"javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret\",\"name\":\"javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"HIGH CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection\",\"id\":\"javascript.phantom.security.audit.phantom-injection.phantom-injection\",\"name\":\"javascript.phantom.security.audit.phantom-injection.phantom-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.phantom.security.audit.phantom-injection.phantom-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection\",\"id\":\"javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection\",\"name\":\"javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection\",\"id\":\"javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection\",\"name\":\"javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection\",\"id\":\"javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection\",\"name\":\"javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\"},\"help\":{\"markdown\":\"Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools\",\"id\":\"javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools\",\"name\":\"javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection\",\"id\":\"javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection\",\"name\":\"javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection\",\"id\":\"javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection\",\"name\":\"javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection\",\"id\":\"javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection\",\"name\":\"javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection\",\"id\":\"javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection\",\"name\":\"javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\"},\"help\":{\"markdown\":\"Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools\",\"id\":\"javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools\",\"name\":\"javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection\",\"id\":\"javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection\",\"name\":\"javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection\",\"id\":\"javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection\",\"name\":\"javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Make sure that unverified user data can not reach `sandbox`.\"},\"help\":{\"markdown\":\"Make sure that unverified user data can not reach `sandbox`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Make sure that unverified user data can not reach `sandbox`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection\",\"id\":\"javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection\",\"name\":\"javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Use of \u0027ondoctype\u0027 in \u0027sax\u0027 library detected. By default, \u0027sax\u0027 won\u0027t do anything with custom DTD entity definitions. If you\u0027re implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.\"},\"help\":{\"markdown\":\"Use of \u0027ondoctype\u0027 in \u0027sax\u0027 library detected. By default, \u0027sax\u0027 won\u0027t do anything with custom DTD entity definitions. If you\u0027re implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sax.security.audit.sax-xxe.sax-xxe)\\n - [https://github.com/Leonidas-from-XIV/node-xml2js/issues/415](https://github.com/Leonidas-from-XIV/node-xml2js/issues/415)\\n - [https://github.com/isaacs/sax-js](https://github.com/isaacs/sax-js)\\n\",\"text\":\"Use of \u0027ondoctype\u0027 in \u0027sax\u0027 library detected. By default, \u0027sax\u0027 won\u0027t do anything with custom DTD entity definitions. If you\u0027re implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.sax.security.audit.sax-xxe.sax-xxe\",\"id\":\"javascript.sax.security.audit.sax-xxe.sax-xxe\",\"name\":\"javascript.sax.security.audit.sax-xxe.sax-xxe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"LOW CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.sax.security.audit.sax-xxe.sax-xxe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \\\"ssl: true\\\" or define settings \\\"ssl: {...}\\\"\"},\"help\":{\"markdown\":\"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \\\"ssl: true\\\" or define settings \\\"ssl: {...}\\\"\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls)\\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\\n - [https://nodejs.org/api/tls.html#tls_tls_default_min_version](https://nodejs.org/api/tls.html#tls_tls_default_min_version)\\n\",\"text\":\"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \\\"ssl: true\\\" or define settings \\\"ssl: {...}\\\"\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls\",\"id\":\"javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls\",\"name\":\"javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\"},\"help\":{\"markdown\":\"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection)\\n - [https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements](https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements)\\n\",\"text\":\"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection\",\"id\":\"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection\",\"name\":\"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Set \\\"rejectUnauthorized\\\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \\\"rejectUnauthorized\\\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \\\"ca\\\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\"},\"help\":{\"markdown\":\"Set \\\"rejectUnauthorized\\\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \\\"rejectUnauthorized\\\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \\\"ca\\\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation)\\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\\n\",\"text\":\"Set \\\"rejectUnauthorized\\\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \\\"rejectUnauthorized\\\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \\\"ca\\\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation\",\"id\":\"javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation\",\"name\":\"javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\"},\"help\":{\"markdown\":\"TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version)\\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\\n - [https://nodejs.org/api/tls.html#tls_tls_default_min_version](https://nodejs.org/api/tls.html#tls_tls_default_min_version)\\n\",\"text\":\"TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version\",\"id\":\"javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version\",\"name\":\"javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"`serialize-javascript` used with `unsafe` parameter, this could be vulnerable to XSS.\"},\"help\":{\"markdown\":\"`serialize-javascript` used with `unsafe` parameter, this could be vulnerable to XSS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"`serialize-javascript` used with `unsafe` parameter, this could be vulnerable to XSS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript\",\"id\":\"javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript\",\"name\":\"javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `exec` method it can result in Remote Code Execution\"},\"help\":{\"markdown\":\"If unverified user data can reach the `exec` method it can result in Remote Code Execution\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"If unverified user data can reach the `exec` method it can result in Remote Code Execution\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection\",\"id\":\"javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection\",\"name\":\"javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Potential arbitrary code execution, piped to eval\"},\"help\":{\"markdown\":\"Potential arbitrary code execution, piped to eval\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Potential arbitrary code execution, piped to eval\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution\",\"id\":\"javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution\",\"name\":\"javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Make sure that unverified user data can not reach `vm2`.\"},\"help\":{\"markdown\":\"Make sure that unverified user data can not reach `vm2`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Make sure that unverified user data can not reach `vm2`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection\",\"id\":\"javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection\",\"name\":\"javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Make sure that unverified user data can not reach `vm2`.\"},\"help\":{\"markdown\":\"Make sure that unverified user data can not reach `vm2`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Make sure that unverified user data can not reach `vm2`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection\",\"id\":\"javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection\",\"name\":\"javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content.\"},\"help\":{\"markdown\":\"Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html)\\n - [https://vuejs.org/v2/guide/syntax.html#Raw-HTML](https://vuejs.org/v2/guide/syntax.html#Raw-HTML)\\n\",\"text\":\"Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html\",\"id\":\"javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html\",\"name\":\"javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `wkhtmltoimage` it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `wkhtmltoimage` it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `wkhtmltoimage` it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection\",\"id\":\"javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection\",\"name\":\"javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection\",\"id\":\"javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection\",\"name\":\"javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe)\\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\\n\",\"text\":\"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe\",\"id\":\"javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe\",\"name\":\"javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"LOW CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.\"},\"help\":{\"markdown\":\"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket)\\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)\\n\",\"text\":\"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket\",\"id\":\"json.aws.security.public-s3-bucket.public-s3-bucket\",\"name\":\"json.aws.security.public-s3-bucket.public-s3-bucket\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: json.aws.security.public-s3-bucket.public-s3-bucket\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket.\"},\"help\":{\"markdown\":\"Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.public-s3-policy-statement.public-s3-policy-statement)\\n - [https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html)\\n\",\"text\":\"Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/json.aws.security.public-s3-policy-statement.public-s3-policy-statement\",\"id\":\"json.aws.security.public-s3-policy-statement.public-s3-policy-statement\",\"name\":\"json.aws.security.public-s3-policy-statement.public-s3-policy-statement\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: json.aws.security.public-s3-policy-statement.public-s3-policy-statement\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`.\"},\"help\":{\"markdown\":\"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role)\\n - [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/)\\n\",\"text\":\"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role\",\"id\":\"json.aws.security.wildcard-assume-role.wildcard-assume-role\",\"name\":\"json.aws.security.wildcard-assume-role.wildcard-assume-role\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-250: Execution with Unnecessary Privileges\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: json.aws.security.wildcard-assume-role.wildcard-assume-role\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\"},\"help\":{\"markdown\":\"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded\",\"id\":\"kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded\",\"name\":\"kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\"},\"help\":{\"markdown\":\"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind\",\"id\":\"kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind\",\"name\":\"kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-287: Improper Authentication\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\\\"%02X\\\", ...)\u0027 instead.\"},\"help\":{\"markdown\":\"\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\\\"%02X\\\", ...)\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion)\\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\\n\",\"text\":\"\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\\\"%02X\\\", ...)\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion\",\"id\":\"kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion\",\"name\":\"kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-704: Incorrect Type Conversion or Cast\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\"},\"help\":{\"markdown\":\"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call\",\"id\":\"kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call\",\"name\":\"kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\"},\"help\":{\"markdown\":\"A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly)\\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\\n\",\"text\":\"A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly\",\"id\":\"kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly\",\"name\":\"kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\"},\"help\":{\"markdown\":\"A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag)\\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\\n\",\"text\":\"A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag\",\"id\":\"kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag\",\"name\":\"kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.\"},\"help\":{\"markdown\":\"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated\",\"id\":\"kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated\",\"name\":\"kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\"},\"help\":{\"markdown\":\"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.ecb-cipher.ecb-cipher)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.ecb-cipher.ecb-cipher\",\"id\":\"kotlin.lang.security.ecb-cipher.ecb-cipher\",\"name\":\"kotlin.lang.security.ecb-cipher.ecb-cipher\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.ecb-cipher.ecb-cipher\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.\"},\"help\":{\"markdown\":\"GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.gcm-detection.gcm-detection)\\n - [https://cwe.mitre.org/data/definitions/323.html](https://cwe.mitre.org/data/definitions/323.html)\\n\",\"text\":\"GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.gcm-detection.gcm-detection\",\"id\":\"kotlin.lang.security.gcm-detection.gcm-detection\",\"name\":\"kotlin.lang.security.gcm-detection.gcm-detection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-323: Reusing a Nonce, Key Pair in Encryption\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.gcm-detection.gcm-detection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\"},\"help\":{\"markdown\":\"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher\",\"id\":\"kotlin.lang.security.no-null-cipher.no-null-cipher\",\"name\":\"kotlin.lang.security.no-null-cipher.no-null-cipher\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.no-null-cipher.no-null-cipher\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead\"},\"help\":{\"markdown\":\"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket\",\"id\":\"kotlin.lang.security.unencrypted-socket.unencrypted-socket\",\"name\":\"kotlin.lang.security.unencrypted-socket.unencrypted-socket\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.unencrypted-socket.unencrypted-socket\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\"},\"help\":{\"markdown\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5\",\"id\":\"kotlin.lang.security.use-of-md5.use-of-md5\",\"name\":\"kotlin.lang.security.use-of-md5.use-of-md5\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.use-of-md5.use-of-md5\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\"},\"help\":{\"markdown\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.use-of-sha1.use-of-sha1)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.use-of-sha1.use-of-sha1\",\"id\":\"kotlin.lang.security.use-of-sha1.use-of-sha1\",\"name\":\"kotlin.lang.security.use-of-sha1.use-of-sha1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.use-of-sha1.use-of-sha1\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"RSA keys should be at least 2048 bits based on NIST recommendation.\"},\"help\":{\"markdown\":\"RSA keys should be at least 2048 bits based on NIST recommendation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.weak-rsa.use-of-weak-rsa-key)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\\n\",\"text\":\"RSA keys should be at least 2048 bits based on NIST recommendation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.weak-rsa.use-of-weak-rsa-key\",\"id\":\"kotlin.lang.security.weak-rsa.use-of-weak-rsa-key\",\"name\":\"kotlin.lang.security.weak-rsa.use-of-weak-rsa-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.weak-rsa.use-of-weak-rsa-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Pervasives is deprecated and will not be available after 4.10. Use Stdlib.\"},\"help\":{\"markdown\":\"Pervasives is deprecated and will not be available after 4.10. Use Stdlib.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.compatibility.deprecated.deprecated-pervasives)\\n\",\"text\":\"Pervasives is deprecated and will not be available after 4.10. Use Stdlib.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ocaml.lang.compatibility.deprecated.deprecated-pervasives\",\"id\":\"ocaml.lang.compatibility.deprecated.deprecated-pervasives\",\"name\":\"ocaml.lang.compatibility.deprecated.deprecated-pervasives\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: ocaml.lang.compatibility.deprecated.deprecated-pervasives\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027input_line\u0027 leaves a \u0027\\\\r\u0027 (CR) character when reading lines from a Windows text file, whose lines end in \\\"\\\\r\\\\n\\\" (CRLF). This is a problem for any Windows file that is being read either on a Unix-like platform or on Windows in binary mode. If the code already takes care of removing any trailing \u0027\\\\r\u0027 after reading the line, add a \u0027(* nosemgrep *)\u0027 comment to disable this warning.\"},\"help\":{\"markdown\":\"\u0027input_line\u0027 leaves a \u0027\\\\r\u0027 (CR) character when reading lines from a Windows text file, whose lines end in \\\"\\\\r\\\\n\\\" (CRLF). This is a problem for any Windows file that is being read either on a Unix-like platform or on Windows in binary mode. If the code already takes care of removing any trailing \u0027\\\\r\u0027 after reading the line, add a \u0027(* nosemgrep *)\u0027 comment to disable this warning.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.crlf-support.broken-input-line)\\n\",\"text\":\"\u0027input_line\u0027 leaves a \u0027\\\\r\u0027 (CR) character when reading lines from a Windows text file, whose lines end in \\\"\\\\r\\\\n\\\" (CRLF). This is a problem for any Windows file that is being read either on a Unix-like platform or on Windows in binary mode. If the code already takes care of removing any trailing \u0027\\\\r\u0027 after reading the line, add a \u0027(* nosemgrep *)\u0027 comment to disable this warning.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ocaml.lang.portability.crlf-support.broken-input-line\",\"id\":\"ocaml.lang.portability.crlf-support.broken-input-line\",\"name\":\"ocaml.lang.portability.crlf-support.broken-input-line\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: ocaml.lang.portability.crlf-support.broken-input-line\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027open_in\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_in_bin\u0027 or \u0027open_in_gen [Open_binary]\u0027. If you really want CRLF-to-LF translations to take place when running on Windows, use \u0027open_in_gen [Open_text]\u0027.\"},\"help\":{\"markdown\":\"\u0027open_in\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_in_bin\u0027 or \u0027open_in_gen [Open_binary]\u0027. If you really want CRLF-to-LF translations to take place when running on Windows, use \u0027open_in_gen [Open_text]\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode)\\n\",\"text\":\"\u0027open_in\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_in_bin\u0027 or \u0027open_in_gen [Open_binary]\u0027. If you really want CRLF-to-LF translations to take place when running on Windows, use \u0027open_in_gen [Open_text]\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode\",\"id\":\"ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode\",\"name\":\"ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027open_out\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_out_bin\u0027 or \u0027open_out_gen [Open_binary]\u0027. If you really want LF-to-CRLF translations to take place when running on Windows, use \u0027open_out_gen [Open_text]\u0027.\"},\"help\":{\"markdown\":\"\u0027open_out\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_out_bin\u0027 or \u0027open_out_gen [Open_binary]\u0027. If you really want LF-to-CRLF translations to take place when running on Windows, use \u0027open_out_gen [Open_text]\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode)\\n\",\"text\":\"\u0027open_out\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_out_bin\u0027 or \u0027open_out_gen [Open_binary]\u0027. If you really want LF-to-CRLF translations to take place when running on Windows, use \u0027open_out_gen [Open_text]\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode\",\"id\":\"ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode\",\"name\":\"ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"You should probably use Filename.get_temp_dirname().\"},\"help\":{\"markdown\":\"You should probably use Filename.get_temp_dirname().\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string)\\n\",\"text\":\"You should probably use Filename.get_temp_dirname().\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string\",\"id\":\"ocaml.lang.portability.slash-tmp.not-portable-tmp-string\",\"name\":\"ocaml.lang.portability.slash-tmp.not-portable-tmp-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: ocaml.lang.portability.slash-tmp.not-portable-tmp-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Unsafe functions do not perform boundary checks or have other side effects, use with care.\"},\"help\":{\"markdown\":\"Unsafe functions do not perform boundary checks or have other side effects, use with care.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.security.unsafe.ocamllint-unsafe)\\n - [https://v2.ocaml.org/api/Bigarray.Array1.html#VALunsafe_get](https://v2.ocaml.org/api/Bigarray.Array1.html#VALunsafe_get)\\n - [https://v2.ocaml.org/api/Bytes.html#VALunsafe_to_string](https://v2.ocaml.org/api/Bytes.html#VALunsafe_to_string)\\n\",\"text\":\"Unsafe functions do not perform boundary checks or have other side effects, use with care.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ocaml.lang.security.unsafe.ocamllint-unsafe\",\"id\":\"ocaml.lang.security.unsafe.ocamllint-unsafe\",\"name\":\"ocaml.lang.security.unsafe.ocamllint-unsafe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-242: Use of Inherently Dangerous Function (4.12)\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ocaml.lang.security.unsafe.ocamllint-unsafe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a Doctrine DBAL query method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a Doctrine DBAL query method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query)\\n - [https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/security.html](https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/security.html)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a Doctrine DBAL query method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query\",\"id\":\"php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query\",\"name\":\"php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\"},\"help\":{\"markdown\":\"`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query)\\n - [https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/query-builder.html#security-safely-preventing-sql-injection](https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/query-builder.html#security-safely-preventing-sql-injection)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query\",\"id\":\"php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query\",\"name\":\"php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Calling assert with user input is equivalent to eval\u0027ing.\"},\"help\":{\"markdown\":\"Calling assert with user input is equivalent to eval\u0027ing.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.assert-use.assert-use)\\n - [https://www.php.net/manual/en/function.assert](https://www.php.net/manual/en/function.assert)\\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/AssertsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/AssertsSniff.php)\\n\",\"text\":\"Calling assert with user input is equivalent to eval\u0027ing.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.assert-use.assert-use\",\"id\":\"php.lang.security.assert-use.assert-use\",\"name\":\"php.lang.security.assert-use.assert-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.assert-use.assert-use\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.\"},\"help\":{\"markdown\":\"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate)\\n - [https://www.php.net/manual/en/function.openssl-decrypt.php](https://www.php.net/manual/en/function.openssl-decrypt.php)\\n\",\"text\":\"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate\",\"id\":\"php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate\",\"name\":\"php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-252: Unchecked Return Value\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\"},\"help\":{\"markdown\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.audit.sha224-hash.sha224-hash)\\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\\n\",\"text\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.audit.sha224-hash.sha224-hash\",\"id\":\"php.lang.security.audit.sha224-hash.sha224-hash\",\"name\":\"php.lang.security.audit.sha224-hash.sha224-hash\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.audit.sha224-hash.sha224-hash\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Backticks use may lead to command injection vulnerabilities.\"},\"help\":{\"markdown\":\"Backticks use may lead to command injection vulnerabilities.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.backticks-use.backticks-use)\\n - [https://www.php.net/manual/en/language.operators.execution.php](https://www.php.net/manual/en/language.operators.execution.php)\\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/BackticksSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/BackticksSniff.php)\\n\",\"text\":\"Backticks use may lead to command injection vulnerabilities.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.backticks-use.backticks-use\",\"id\":\"php.lang.security.backticks-use.backticks-use\",\"name\":\"php.lang.security.backticks-use.backticks-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.backticks-use.backticks-use\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens.\"},\"help\":{\"markdown\":\"The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.base-convert-loses-precision.base-convert-loses-precision)\\n - [https://www.php.net/base_convert](https://www.php.net/base_convert)\\n - [https://www.sjoerdlangkemper.nl/2017/03/15/dont-use-base-convert-on-random-tokens/](https://www.sjoerdlangkemper.nl/2017/03/15/dont-use-base-convert-on-random-tokens/)\\n\",\"text\":\"The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.base-convert-loses-precision.base-convert-loses-precision\",\"id\":\"php.lang.security.base-convert-loses-precision.base-convert-loses-precision\",\"name\":\"php.lang.security.base-convert-loses-precision.base-convert-loses-precision\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-190: Integer Overflow or Wraparound\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.base-convert-loses-precision.base-convert-loses-precision\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)\"},\"help\":{\"markdown\":\"SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off)\\n - [https://www.saotn.org/dont-turn-off-curlopt_ssl_verifypeer-fix-php-configuration/](https://www.saotn.org/dont-turn-off-curlopt_ssl_verifypeer-fix-php-configuration/)\\n\",\"text\":\"SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off\",\"id\":\"php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off\",\"name\":\"php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Do not call \u0027extract()\u0027 on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.\"},\"help\":{\"markdown\":\"Do not call \u0027extract()\u0027 on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.deserialization.extract-user-data)\\n - [https://www.php.net/manual/en/function.extract.php#refsect1-function.extract-notes](https://www.php.net/manual/en/function.extract.php#refsect1-function.extract-notes)\\n\",\"text\":\"Do not call \u0027extract()\u0027 on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.deserialization.extract-user-data\",\"id\":\"php.lang.security.deserialization.extract-user-data\",\"name\":\"php.lang.security.deserialization.extract-user-data\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.deserialization.extract-user-data\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Evaluating non-constant commands. This can lead to command injection.\"},\"help\":{\"markdown\":\"Evaluating non-constant commands. This can lead to command injection.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.eval-use.eval-use)\\n - [https://www.php.net/manual/en/function.eval](https://www.php.net/manual/en/function.eval)\\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php)\\n\",\"text\":\"Evaluating non-constant commands. This can lead to command injection.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.eval-use.eval-use\",\"id\":\"php.lang.security.eval-use.eval-use\",\"name\":\"php.lang.security.eval-use.eval-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.eval-use.eval-use\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Executing non-constant commands. This can lead to command injection.\"},\"help\":{\"markdown\":\"Executing non-constant commands. This can lead to command injection.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.exec-use.exec-use)\\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/SystemExecFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/SystemExecFunctionsSniff.php)\\n\",\"text\":\"Executing non-constant commands. This can lead to command injection.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.exec-use.exec-use\",\"id\":\"php.lang.security.exec-use.exec-use\",\"name\":\"php.lang.security.exec-use.exec-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.exec-use.exec-use\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"FTP allows for unencrypted file transfers. Consider using an encrypted alternative.\"},\"help\":{\"markdown\":\"FTP allows for unencrypted file transfers. Consider using an encrypted alternative.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use)\\n - [https://www.php.net/manual/en/intro.ftp.php](https://www.php.net/manual/en/intro.ftp.php)\\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php)\\n\",\"text\":\"FTP allows for unencrypted file transfers. Consider using an encrypted alternative.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use\",\"id\":\"php.lang.security.ftp-use.ftp-use\",\"name\":\"php.lang.security.ftp-use.ftp-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.ftp-use.ftp-use\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"`Printing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.\"},\"help\":{\"markdown\":\"`Printing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.printed-request.printed-request)\\n - [https://www.php.net/manual/en/function.htmlentities.php](https://www.php.net/manual/en/function.htmlentities.php)\\n - [https://www.php.net/manual/en/reserved.variables.request.php](https://www.php.net/manual/en/reserved.variables.request.php)\\n - [https://www.php.net/manual/en/reserved.variables.post.php](https://www.php.net/manual/en/reserved.variables.post.php)\\n - [https://www.php.net/manual/en/reserved.variables.get.php](https://www.php.net/manual/en/reserved.variables.get.php)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"`Printing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.injection.printed-request.printed-request\",\"id\":\"php.lang.security.injection.printed-request.printed-request\",\"name\":\"php.lang.security.injection.printed-request.printed-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.injection.printed-request.printed-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Callable based on user input risks remote code execution.\"},\"help\":{\"markdown\":\"Callable based on user input risks remote code execution.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-callable.tainted-callable)\\n - [https://www.php.net/manual/en/language.types.callable.php](https://www.php.net/manual/en/language.types.callable.php)\\n\",\"text\":\"Callable based on user input risks remote code execution.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.injection.tainted-callable.tainted-callable\",\"id\":\"php.lang.security.injection.tainted-callable.tainted-callable\",\"name\":\"php.lang.security.injection.tainted-callable.tainted-callable\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.injection.tainted-callable.tainted-callable\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User input is passed to a function that executes a shell command. This can lead to remote code execution.\"},\"help\":{\"markdown\":\"User input is passed to a function that executes a shell command. This can lead to remote code execution.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-exec.tainted-exec)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"User input is passed to a function that executes a shell command. This can lead to remote code execution.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.injection.tainted-exec.tainted-exec\",\"id\":\"php.lang.security.injection.tainted-exec.tainted-exec\",\"name\":\"php.lang.security.injection.tainted-exec.tainted-exec\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.injection.tainted-exec.tainted-exec\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"File name based on user input risks server-side request forgery.\"},\"help\":{\"markdown\":\"File name based on user input risks server-side request forgery.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"File name based on user input risks server-side request forgery.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename\",\"id\":\"php.lang.security.injection.tainted-filename.tainted-filename\",\"name\":\"php.lang.security.injection.tainted-filename.tainted-filename\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.injection.tainted-filename.tainted-filename\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u003c- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.\"},\"help\":{\"markdown\":\"\u003c- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"\u003c- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation\",\"id\":\"php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation\",\"name\":\"php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.\"},\"help\":{\"markdown\":\"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session)\\n - [https://en.wikipedia.org/wiki/Session_poisoning](https://en.wikipedia.org/wiki/Session_poisoning)\\n\",\"text\":\"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session\",\"id\":\"php.lang.security.injection.tainted-session.tainted-session\",\"name\":\"php.lang.security.injection.tainted-session.tainted-session\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-284: Improper Access Control\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.injection.tainted-session.tainted-session\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli-\u003eprepare(\\\"INSERT INTO test(id, label) VALUES (?, ?)\\\");`) or a safe library.\"},\"help\":{\"markdown\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli-\u003eprepare(\\\"INSERT INTO test(id, label) VALUES (?, ?)\\\");`) or a safe library.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string)\\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\\n\",\"text\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli-\u003eprepare(\\\"INSERT INTO test(id, label) VALUES (?, ?)\\\");`) or a safe library.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string\",\"id\":\"php.lang.security.injection.tainted-sql-string.tainted-sql-string\",\"name\":\"php.lang.security.injection.tainted-sql-string.tainted-sql-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.injection.tainted-sql-string.tainted-sql-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\"},\"help\":{\"markdown\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host\",\"id\":\"php.lang.security.injection.tainted-url-host.tainted-url-host\",\"name\":\"php.lang.security.injection.tainted-url-host.tainted-url-host\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.injection.tainted-url-host.tainted-url-host\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP.\"},\"help\":{\"markdown\":\"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.ldap-bind-without-password.ldap-bind-without-password)\\n - [https://www.php.net/manual/en/function.ldap-bind.php](https://www.php.net/manual/en/function.ldap-bind.php)\\n\",\"text\":\"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.ldap-bind-without-password.ldap-bind-without-password\",\"id\":\"php.lang.security.ldap-bind-without-password.ldap-bind-without-password\",\"name\":\"php.lang.security.ldap-bind-without-password.ldap-bind-without-password\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-287: Improper Authentication\",\"LOW CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.ldap-bind-without-password.ldap-bind-without-password\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code.\"},\"help\":{\"markdown\":\"Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval)\\n - [https://www.php.net/manual/en/function.mb-ereg-replace.php](https://www.php.net/manual/en/function.mb-ereg-replace.php)\\n - [https://www.php.net/manual/en/function.mb-regex-set-options.php](https://www.php.net/manual/en/function.mb-regex-set-options.php)\\n\",\"text\":\"Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval\",\"id\":\"php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval\",\"name\":\"php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.\"},\"help\":{\"markdown\":\"Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.mcrypt-use.mcrypt-use)\\n - [https://www.php.net/manual/en/intro.mcrypt.php](https://www.php.net/manual/en/intro.mcrypt.php)\\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php)\\n\",\"text\":\"Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.mcrypt-use.mcrypt-use\",\"id\":\"php.lang.security.mcrypt-use.mcrypt-use\",\"name\":\"php.lang.security.mcrypt-use.mcrypt-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-676: Use of Potentially Dangerous Function\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.mcrypt-use.mcrypt-use\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues\"},\"help\":{\"markdown\":\"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality)\\n - [https://www.php.net/manual/en/types.comparisons.php](https://www.php.net/manual/en/types.comparisons.php)\\n - [https://web.archive.org/web/20210430183236/https://www.whitehatsec.com/blog/magic-hashes/](https://web.archive.org/web/20210430183236/https://www.whitehatsec.com/blog/magic-hashes/)\\n\",\"text\":\"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality\",\"id\":\"php.lang.security.md5-loose-equality.md5-loose-equality\",\"name\":\"php.lang.security.md5-loose-equality.md5-loose-equality\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-697: Incorrect Comparison\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.md5-loose-equality.md5-loose-equality\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`.\"},\"help\":{\"markdown\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.md5-used-as-password.md5-used-as-password)\\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\\n - [https://www.php.net/password_hash](https://www.php.net/password_hash)\\n\",\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.md5-used-as-password.md5-used-as-password\",\"id\":\"php.lang.security.md5-used-as-password.md5-used-as-password\",\"name\":\"php.lang.security.md5-used-as-password.md5-used-as-password\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.md5-used-as-password.md5-used-as-password\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data.\"},\"help\":{\"markdown\":\"Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv)\\n - [https://csrc.nist.gov/publications/detail/sp/800-38a/final](https://csrc.nist.gov/publications/detail/sp/800-38a/final)\\n\",\"text\":\"Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv\",\"id\":\"php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv\",\"name\":\"php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-329: Generation of Predictable IV with CBC Mode\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Access-Control-Allow-Origin response header is set to \\\"*\\\". This will disable CORS Same Origin Policy restrictions.\"},\"help\":{\"markdown\":\"Access-Control-Allow-Origin response header is set to \\\"*\\\". This will disable CORS Same Origin Policy restrictions.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors)\\n - [https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin](https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)\\n\",\"text\":\"Access-Control-Allow-Origin response header is set to \\\"*\\\". This will disable CORS Same Origin Policy restrictions.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors\",\"id\":\"php.lang.security.php-permissive-cors.php-permissive-cors\",\"name\":\"php.lang.security.php-permissive-cors.php-permissive-cors\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-346: Origin Validation Error\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.php-permissive-cors.php-permissive-cors\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The \u0027phpinfo\u0027 function may reveal sensitive information about your environment.\"},\"help\":{\"markdown\":\"The \u0027phpinfo\u0027 function may reveal sensitive information about your environment.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.phpinfo-use.phpinfo-use)\\n - [https://www.php.net/manual/en/function.phpinfo](https://www.php.net/manual/en/function.phpinfo)\\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/PhpinfosSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/PhpinfosSniff.php)\\n\",\"text\":\"The \u0027phpinfo\u0027 function may reveal sensitive information about your environment.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.phpinfo-use.phpinfo-use\",\"id\":\"php.lang.security.phpinfo-use.phpinfo-use\",\"name\":\"php.lang.security.phpinfo-use.phpinfo-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.phpinfo-use.phpinfo-use\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Executing non-constant commands. This can lead to command injection. You should use `escapeshellarg()` when using command.\"},\"help\":{\"markdown\":\"Executing non-constant commands. This can lead to command injection. You should use `escapeshellarg()` when using command.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.tainted-exec.tainted-exec)\\n - [https://www.stackhawk.com/blog/php-command-injection/](https://www.stackhawk.com/blog/php-command-injection/)\\n - [https://brightsec.com/blog/code-injection-php/](https://brightsec.com/blog/code-injection-php/)\\n - [https://www.acunetix.com/websitesecurity/php-security-2/](https://www.acunetix.com/websitesecurity/php-security-2/)\\n\",\"text\":\"Executing non-constant commands. This can lead to command injection. You should use `escapeshellarg()` when using command.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.tainted-exec.tainted-exec\",\"id\":\"php.lang.security.tainted-exec.tainted-exec\",\"name\":\"php.lang.security.tainted-exec.tainted-exec\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.tainted-exec.tainted-exec\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\"},\"help\":{\"markdown\":\"Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.unlink-use.unlink-use)\\n - [https://www.php.net/manual/en/function.unlink](https://www.php.net/manual/en/function.unlink)\\n - [https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html](https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html)\\n\",\"text\":\"Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.unlink-use.unlink-use\",\"id\":\"php.lang.security.unlink-use.unlink-use\",\"name\":\"php.lang.security.unlink-use.unlink-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.unlink-use.unlink-use\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Calling `unserialize()` with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers).\"},\"help\":{\"markdown\":\"Calling `unserialize()` with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.unserialize-use.unserialize-use)\\n - [https://www.php.net/manual/en/function.unserialize.php](https://www.php.net/manual/en/function.unserialize.php)\\n - [https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization.html](https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization.html)\\n\",\"text\":\"Calling `unserialize()` with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.unserialize-use.unserialize-use\",\"id\":\"php.lang.security.unserialize-use.unserialize-use\",\"name\":\"php.lang.security.unserialize-use.unserialize-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.unserialize-use.unserialize-use\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"HTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation.\"},\"help\":{\"markdown\":\"HTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection)\\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md)\\n\",\"text\":\"HTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection\",\"id\":\"php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection\",\"name\":\"php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.\"},\"help\":{\"markdown\":\"Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection)\\n - [https://laravel.com/docs/8.x/queries](https://laravel.com/docs/8.x/queries)\\n\",\"text\":\"Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection\",\"id\":\"php.laravel.security.laravel-sql-injection.laravel-sql-injection\",\"name\":\"php.laravel.security.laravel-sql-injection.laravel-sql-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.laravel.security.laravel-sql-injection.laravel-sql-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection.\"},\"help\":{\"markdown\":\"Found a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator)\\n - [https://laravel.com/docs/9.x/validation#rule-unique](https://laravel.com/docs/9.x/validation#rule-unique)\\n\",\"text\":\"Found a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator\",\"id\":\"php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator\",\"name\":\"php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`.\"},\"help\":{\"markdown\":\"CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled)\\n - [https://symfony.com/doc/current/security/csrf.html](https://symfony.com/doc/current/security/csrf.html)\\n\",\"text\":\"CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled\",\"id\":\"php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled\",\"name\":\"php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-352: Cross-Site Request Forgery (CSRF)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The `redirect()` method does not check its destination in any way. If you redirect to a URL provided by end-users, your application may be open to the unvalidated redirects security vulnerability. Consider using literal values or an allowlist to validate URLs.\"},\"help\":{\"markdown\":\"The `redirect()` method does not check its destination in any way. If you redirect to a URL provided by end-users, your application may be open to the unvalidated redirects security vulnerability. Consider using literal values or an allowlist to validate URLs.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect)\\n - [https://symfony.com/doc/current/controller.html#redirecting](https://symfony.com/doc/current/controller.html#redirecting)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\\n\",\"text\":\"The `redirect()` method does not check its destination in any way. If you redirect to a URL provided by end-users, your application may be open to the unvalidated redirects security vulnerability. Consider using literal values or an allowlist to validate URLs.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect\",\"id\":\"php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect\",\"name\":\"php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Access-Control-Allow-Origin response header is set to \\\"*\\\". This will disable CORS Same Origin Policy restrictions.\"},\"help\":{\"markdown\":\"Access-Control-Allow-Origin response header is set to \\\"*\\\". This will disable CORS Same Origin Policy restrictions.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors)\\n - [https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin](https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)\\n\",\"text\":\"Access-Control-Allow-Origin response header is set to \\\"*\\\". This will disable CORS Same Origin Policy restrictions.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors\",\"id\":\"php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors\",\"name\":\"php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-346: Origin Validation Error\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected usage of vulnerable functions with user input, which could lead to SSRF vulnerabilities.\"},\"help\":{\"markdown\":\"Detected usage of vulnerable functions with user input, which could lead to SSRF vulnerabilities.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit)\\n - [https://developer.wordpress.org/reference/functions/wp_safe_remote_get/](https://developer.wordpress.org/reference/functions/wp_safe_remote_get/)\\n - [https://developer.wordpress.org/reference/functions/wp_remote_get/](https://developer.wordpress.org/reference/functions/wp_remote_get/)\\n - [https://patchstack.com/articles/exploring-the-unpatched-wordpress-ssrf/](https://patchstack.com/articles/exploring-the-unpatched-wordpress-ssrf/)\\n\",\"text\":\"Detected usage of vulnerable functions with user input, which could lead to SSRF vulnerabilities.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit\",\"id\":\"php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit\",\"name\":\"php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for disabling of TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\"},\"help\":{\"markdown\":\"Checks for disabling of TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification)\\n - [https://stackoverflow.com/questions/12122159/how-to-do-a-https-request-with-bad-certificate](https://stackoverflow.com/questions/12122159/how-to-do-a-https-request-with-bad-certificate)\\n\",\"text\":\"Checks for disabling of TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification\",\"id\":\"problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification\",\"name\":\"problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detects creations of tls configuration objects with an insecure MinVersion of TLS. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\"},\"help\":{\"markdown\":\"Detects creations of tls configuration objects with an insecure MinVersion of TLS. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions)\\n - [https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle](https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle)\\n\",\"text\":\"Detects creations of tls configuration objects with an insecure MinVersion of TLS. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions\",\"id\":\"problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions\",\"name\":\"problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"HIGH CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for outgoing connections to ftp servers with the ftp package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.\"},\"help\":{\"markdown\":\"Checks for outgoing connections to ftp servers with the ftp package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request)\\n - [https://godoc.org/github.com/jlaffaye/ftp#Dial](https://godoc.org/github.com/jlaffaye/ftp#Dial)\\n - [https://github.com/jlaffaye/ftp](https://github.com/jlaffaye/ftp)\\n\",\"text\":\"Checks for outgoing connections to ftp servers with the ftp package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request\",\"id\":\"problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request\",\"name\":\"problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\"},\"help\":{\"markdown\":\"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request)\\n - [https://github.com/parnurzeal/gorequest](https://github.com/parnurzeal/gorequest)\\n\",\"text\":\"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request\",\"id\":\"problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request\",\"name\":\"problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\"},\"help\":{\"markdown\":\"Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request)\\n - [https://godoc.org/github.com/levigross/grequests#DoRegularRequest](https://godoc.org/github.com/levigross/grequests#DoRegularRequest)\\n - [https://github.com/levigross/grequests](https://github.com/levigross/grequests)\\n\",\"text\":\"Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request\",\"id\":\"problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request\",\"name\":\"problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for requests sent via http.NewRequest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\"},\"help\":{\"markdown\":\"Checks for requests sent via http.NewRequest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-customized-request.http-customized-request)\\n - [https://golang.org/pkg/net/http/#NewRequest](https://golang.org/pkg/net/http/#NewRequest)\\n\",\"text\":\"Checks for requests sent via http.NewRequest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-customized-request.http-customized-request\",\"id\":\"problem-based-packs.insecure-transport.go-stdlib.http-customized-request.http-customized-request\",\"name\":\"problem-based-packs.insecure-transport.go-stdlib.http-customized-request.http-customized-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.http-customized-request.http-customized-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\"},\"help\":{\"markdown\":\"Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request)\\n - [https://golang.org/pkg/net/http/#Get](https://golang.org/pkg/net/http/#Get)\\n\",\"text\":\"Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request\",\"id\":\"problem-based-packs.insecure-transport.go-stdlib.http-request.http-request\",\"name\":\"problem-based-packs.insecure-transport.go-stdlib.http-request.http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.http-request.http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\"},\"help\":{\"markdown\":\"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request)\\n - [https://godoc.org/github.com/dghubble/sling#Sling.Add](https://godoc.org/github.com/dghubble/sling#Sling.Add)\\n - [https://github.com/dghubble/sling](https://github.com/dghubble/sling)\\n\",\"text\":\"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request\",\"id\":\"problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request\",\"name\":\"problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for attempts to connect to an insecure telnet server using the package telnet. This is bad because it can lead to man in the middle attacks.\"},\"help\":{\"markdown\":\"Checks for attempts to connect to an insecure telnet server using the package telnet. This is bad because it can lead to man in the middle attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request)\\n - [https://godoc.org/github.com/reiver/go-telnet](https://godoc.org/github.com/reiver/go-telnet)\\n\",\"text\":\"Checks for attempts to connect to an insecure telnet server using the package telnet. This is bad because it can lead to man in the middle attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request\",\"id\":\"problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request\",\"name\":\"problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\"},\"help\":{\"markdown\":\"Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification)\\n - [https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate](https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate)\\n - [https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1](https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1)\\n\",\"text\":\"Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification\",\"id\":\"problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification\",\"name\":\"problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for outgoing connections to ftp servers via Spring plugin ftpSessionFactory. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.\"},\"help\":{\"markdown\":\"Checks for outgoing connections to ftp servers via Spring plugin ftpSessionFactory. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-ftp-request.spring-ftp-request)\\n - [https://docs.spring.io/spring-integration/api/org/springframework/integration/ftp/session/AbstractFtpSessionFactory.html#setClientMode-int-](https://docs.spring.io/spring-integration/api/org/springframework/integration/ftp/session/AbstractFtpSessionFactory.html#setClientMode-int-)\\n\",\"text\":\"Checks for outgoing connections to ftp servers via Spring plugin ftpSessionFactory. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-ftp-request.spring-ftp-request\",\"id\":\"problem-based-packs.insecure-transport.java-spring.spring-ftp-request.spring-ftp-request\",\"name\":\"problem-based-packs.insecure-transport.java-spring.spring-ftp-request.spring-ftp-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.java-spring.spring-ftp-request.spring-ftp-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\"},\"help\":{\"markdown\":\"Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request)\\n - [https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-](https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-)\\n - [https://www.baeldung.com/rest-template](https://www.baeldung.com/rest-template)\\n\",\"text\":\"Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request\",\"id\":\"problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request\",\"name\":\"problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for redefinitions of the checkServerTrusted function in the X509TrustManager class that disables TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\"},\"help\":{\"markdown\":\"Checks for redefinitions of the checkServerTrusted function in the X509TrustManager class that disables TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification)\\n - [https://riptutorial.com/java/example/16517/temporarily-disable-ssl-verification--for-testing-purposes-](https://riptutorial.com/java/example/16517/temporarily-disable-ssl-verification--for-testing-purposes-)\\n - [https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1](https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1)\\n\",\"text\":\"Checks for redefinitions of the checkServerTrusted function in the X509TrustManager class that disables TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification\",\"id\":\"problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification\",\"name\":\"problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detects direct creations of SSLConnectionSocketFactories that don\u0027t disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\"},\"help\":{\"markdown\":\"Detects direct creations of SSLConnectionSocketFactories that don\u0027t disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1)\\n - [https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle](https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle)\\n\",\"text\":\"Detects direct creations of SSLConnectionSocketFactories that don\u0027t disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1\",\"id\":\"problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1\",\"name\":\"problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detects setting client protocols to insecure versions of TLS and SSL. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\"},\"help\":{\"markdown\":\"Detects setting client protocols to insecure versions of TLS and SSL. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2)\\n - [https://stackoverflow.com/questions/26504653/is-it-possible-to-disable-sslv3-for-all-java-applications](https://stackoverflow.com/questions/26504653/is-it-possible-to-disable-sslv3-for-all-java-applications)\\n\",\"text\":\"Detects setting client protocols to insecure versions of TLS and SSL. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2\",\"id\":\"problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2\",\"name\":\"problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.\"},\"help\":{\"markdown\":\"Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request)\\n - [https://www.codejava.net/java-se/ftp/connect-and-login-to-a-ftp-server](https://www.codejava.net/java-se/ftp/connect-and-login-to-a-ftp-server)\\n - [https://commons.apache.org/proper/commons-net/apidocs/org/apache/commons/net/ftp/FTPClient.html](https://commons.apache.org/proper/commons-net/apidocs/org/apache/commons/net/ftp/FTPClient.html)\\n\",\"text\":\"Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request\",\"id\":\"problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request\",\"name\":\"problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for requests sent via Apache HTTP Components to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\"},\"help\":{\"markdown\":\"Checks for requests sent via Apache HTTP Components to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request)\\n - [https://hc.apache.org/httpcomponents-client-ga/quickstart.html](https://hc.apache.org/httpcomponents-client-ga/quickstart.html)\\n\",\"text\":\"Checks for requests sent via Apache HTTP Components to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request\",\"id\":\"problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request\",\"name\":\"problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\"},\"help\":{\"markdown\":\"Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request)\\n - [https://openjdk.java.net/groups/net/httpclient/intro.html](https://openjdk.java.net/groups/net/httpclient/intro.html)\\n\",\"text\":\"Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request\",\"id\":\"problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request\",\"name\":\"problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.\"},\"help\":{\"markdown\":\"Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request)\\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html)\\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection()](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection())\\n\",\"text\":\"Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request\",\"id\":\"problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request\",\"name\":\"problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an HTTP request sent via HttpURLConnection. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.\"},\"help\":{\"markdown\":\"Detected an HTTP request sent via HttpURLConnection. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request)\\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html)\\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection()](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection())\\n\",\"text\":\"Detected an HTTP request sent via HttpURLConnection. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request\",\"id\":\"problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request\",\"name\":\"problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Insecure transport rules to catch socket connections to http, telnet, and ftp servers. This is dangerous because these are protocols that do not encrypt traffic.\"},\"help\":{\"markdown\":\"Insecure transport rules to catch socket connections to http, telnet, and ftp servers. This is dangerous because these are protocols that do not encrypt traffic.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request)\\n - [https://docs.oracle.com/javase/8/docs/api/java/net/Socket.html](https://docs.oracle.com/javase/8/docs/api/java/net/Socket.html)\\n\",\"text\":\"Insecure transport rules to catch socket connections to http, telnet, and ftp servers. This is dangerous because these are protocols that do not encrypt traffic.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request\",\"id\":\"problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request\",\"name\":\"problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\"},\"help\":{\"markdown\":\"Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request)\\n - [https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html](https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html)\\n\",\"text\":\"Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request\",\"id\":\"problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request\",\"name\":\"problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection.\"},\"help\":{\"markdown\":\"Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation)\\n - [https://www.oracle.com/java/technologies/javase/tlsreadme.html](https://www.oracle.com/java/technologies/javase/tlsreadme.html)\\n\",\"text\":\"Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation\",\"id\":\"problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation\",\"name\":\"problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for requests sent via Unirest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\"},\"help\":{\"markdown\":\"Checks for requests sent via Unirest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.unirest-http-request.unirest-http-request)\\n - [https://kong.github.io/unirest-java/#requests](https://kong.github.io/unirest-java/#requests)\\n\",\"text\":\"Checks for requests sent via Unirest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.unirest-http-request.unirest-http-request\",\"id\":\"problem-based-packs.insecure-transport.java-stdlib.unirest-http-request.unirest-http-request\",\"name\":\"problem-based-packs.insecure-transport.java-stdlib.unirest-http-request.unirest-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.unirest-http-request.unirest-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.\"},\"help\":{\"markdown\":\"Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification)\\n - [https://nodejs.org/api/https.html#https_https_request_options_callback](https://nodejs.org/api/https.html#https_https_request_options_callback)\\n - [https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100](https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100)\\n\",\"text\":\"Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification\",\"id\":\"problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification\",\"name\":\"problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detects direct creations of $HTTPS servers that don\u0027t disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\"},\"help\":{\"markdown\":\"Detects direct creations of $HTTPS servers that don\u0027t disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1)\\n - [https://us-cert.cisa.gov/ncas/alerts/TA14-290A](https://us-cert.cisa.gov/ncas/alerts/TA14-290A)\\n - [https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs](https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs)\\n - [https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener](https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener)\\n\",\"text\":\"Detects direct creations of $HTTPS servers that don\u0027t disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1\",\"id\":\"problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1\",\"name\":\"problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detects creations of $HTTPS servers from option objects that don\u0027t disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\"},\"help\":{\"markdown\":\"Detects creations of $HTTPS servers from option objects that don\u0027t disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2)\\n - [https://us-cert.cisa.gov/ncas/alerts/TA14-290A](https://us-cert.cisa.gov/ncas/alerts/TA14-290A)\\n - [https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs](https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs)\\n - [https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener](https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener)\\n\",\"text\":\"Detects creations of $HTTPS servers from option objects that don\u0027t disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2\",\"id\":\"problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2\",\"name\":\"problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for lack of usage of the \\\"secure: true\\\" option when sending ftp requests through the nodejs ftp module. This leads to unencrypted traffic being sent to the ftp server. There are other options such as \\\"implicit\\\" that still does not encrypt all traffic. ftp is the most utilized npm ftp module.\"},\"help\":{\"markdown\":\"Checks for lack of usage of the \\\"secure: true\\\" option when sending ftp requests through the nodejs ftp module. This leads to unencrypted traffic being sent to the ftp server. There are other options such as \\\"implicit\\\" that still does not encrypt all traffic. ftp is the most utilized npm ftp module.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request)\\n - [https://www.npmjs.com/package/ftp](https://www.npmjs.com/package/ftp)\\n - [https://openbase.io/js/ftp](https://openbase.io/js/ftp)\\n\",\"text\":\"Checks for lack of usage of the \\\"secure: true\\\" option when sending ftp requests through the nodejs ftp module. This leads to unencrypted traffic being sent to the ftp server. There are other options such as \\\"implicit\\\" that still does not encrypt all traffic. ftp is the most utilized npm ftp module.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request\",\"id\":\"problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request\",\"name\":\"problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.\"},\"help\":{\"markdown\":\"Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.http-request.http-request)\\n - [https://nodejs.org/api/http.html#http_http_request_options_callback](https://nodejs.org/api/http.html#http_http_request_options_callback)\\n\",\"text\":\"Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.http-request.http-request\",\"id\":\"problem-based-packs.insecure-transport.js-node.http-request.http-request\",\"name\":\"problem-based-packs.insecure-transport.js-node.http-request.http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.js-node.http-request.http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for requests to http (unencrypted) sites using some of node js\u0027s most popular REST/HTTP libraries, including node-rest-client, axios, and got.\"},\"help\":{\"markdown\":\"Checks for requests to http (unencrypted) sites using some of node js\u0027s most popular REST/HTTP libraries, including node-rest-client, axios, and got.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support)\\n - [https://www.npmjs.com/package/axios](https://www.npmjs.com/package/axios)\\n - [https://www.npmjs.com/package/got](https://www.npmjs.com/package/got)\\n - [https://www.npmjs.com/package/node-rest-client](https://www.npmjs.com/package/node-rest-client)\\n\",\"text\":\"Checks for requests to http (unencrypted) sites using some of node js\u0027s most popular REST/HTTP libraries, including node-rest-client, axios, and got.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support\",\"id\":\"problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support\",\"name\":\"problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\"},\"help\":{\"markdown\":\"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request)\\n - [https://www.npmjs.com/package/telnet](https://www.npmjs.com/package/telnet)\\n - [https://www.npmjs.com/package/telnet-client](https://www.npmjs.com/package/telnet-client)\\n\",\"text\":\"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request\",\"id\":\"problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request\",\"name\":\"problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.\"},\"help\":{\"markdown\":\"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server)\\n - [https://nodejs.org/api/http.html#http_class_http_agent](https://nodejs.org/api/http.html#http_class_http_agent)\\n - [https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY](https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY)\\n\",\"text\":\"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server\",\"id\":\"problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server\",\"name\":\"problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for requests to http (unencrypted) sites using some of ruby\u0027s most popular REST/HTTP libraries, including httparty and restclient.\"},\"help\":{\"markdown\":\"Checks for requests to http (unencrypted) sites using some of ruby\u0027s most popular REST/HTTP libraries, including httparty and restclient.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests)\\n - [https://github.com/rest-client/rest-client](https://github.com/rest-client/rest-client)\\n - [https://github.com/jnunemaker/httparty/tree/master/docs](https://github.com/jnunemaker/httparty/tree/master/docs)\\n\",\"text\":\"Checks for requests to http (unencrypted) sites using some of ruby\u0027s most popular REST/HTTP libraries, including httparty and restclient.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests\",\"id\":\"problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests\",\"name\":\"problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for outgoing connections to ftp servers with the \u0027net/ftp\u0027 package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.\"},\"help\":{\"markdown\":\"Checks for outgoing connections to ftp servers with the \u0027net/ftp\u0027 package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request)\\n - [https://docs.ruby-lang.org/en/2.0.0/Net/FTP.html](https://docs.ruby-lang.org/en/2.0.0/Net/FTP.html)\\n\",\"text\":\"Checks for outgoing connections to ftp servers with the \u0027net/ftp\u0027 package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request\",\"id\":\"problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request\",\"name\":\"problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.\"},\"help\":{\"markdown\":\"Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request)\\n - [https://ruby-doc.org/stdlib-2.6.5/libdoc/net/http/rdoc/Net/](https://ruby-doc.org/stdlib-2.6.5/libdoc/net/http/rdoc/Net/)\\n\",\"text\":\"Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request\",\"id\":\"problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request\",\"name\":\"problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\"},\"help\":{\"markdown\":\"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request)\\n - [https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html](https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html)\\n - [https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet](https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet)\\n\",\"text\":\"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request\",\"id\":\"problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request\",\"name\":\"problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for requests to http and ftp (unencrypted) sites using OpenURI.\"},\"help\":{\"markdown\":\"Checks for requests to http and ftp (unencrypted) sites using OpenURI.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request)\\n - [https://ruby-doc.org/stdlib-2.6.3/libdoc/open-uri/rdoc/OpenURI.html](https://ruby-doc.org/stdlib-2.6.3/libdoc/open-uri/rdoc/OpenURI.html)\\n\",\"text\":\"Checks for requests to http and ftp (unencrypted) sites using OpenURI.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request\",\"id\":\"problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request\",\"name\":\"problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found a formatted string in BashOperator: $CMD. This could be vulnerable to injection. Be extra sure your variables are not controllable by external sources.\"},\"help\":{\"markdown\":\"Found a formatted string in BashOperator: $CMD. This could be vulnerable to injection. Be extra sure your variables are not controllable by external sources.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Found a formatted string in BashOperator: $CMD. This could be vulnerable to injection. Be extra sure your variables are not controllable by external sources.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator\",\"id\":\"python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator\",\"name\":\"python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected \u0027create_subprocess_exec\u0027 function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\"},\"help\":{\"markdown\":\"Detected \u0027create_subprocess_exec\u0027 function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec)\\n - [https://docs.python.org/3/library/asyncio-subprocess.html#asyncio.create_subprocess_exec](https://docs.python.org/3/library/asyncio-subprocess.html#asyncio.create_subprocess_exec)\\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\\n\",\"text\":\"Detected \u0027create_subprocess_exec\u0027 function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec\",\"id\":\"python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec\",\"name\":\"python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected subprocess function \u0027$LOOP.subprocess_exec\u0027 with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\"},\"help\":{\"markdown\":\"Detected subprocess function \u0027$LOOP.subprocess_exec\u0027 with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec)\\n - [https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec](https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec)\\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\\n\",\"text\":\"Detected subprocess function \u0027$LOOP.subprocess_exec\u0027 with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec\",\"id\":\"python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec\",\"name\":\"python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected asyncio subprocess function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\"},\"help\":{\"markdown\":\"Detected asyncio subprocess function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell)\\n - [https://docs.python.org/3/library/asyncio-subprocess.html](https://docs.python.org/3/library/asyncio-subprocess.html)\\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\\n\",\"text\":\"Detected asyncio subprocess function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell\",\"id\":\"python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell\",\"name\":\"python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.\"},\"help\":{\"markdown\":\"Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process\",\"id\":\"python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process\",\"name\":\"python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected subprocess function with argument tainted by an `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. The default option for `shell` is False, and this is secure by default. Consider removing the `shell=True` or setting it to False explicitely. Using `shell=False` means you have to split the command string into an array of strings for the command and its arguments. You may consider using \u0027shlex.split()\u0027 for this purpose.\"},\"help\":{\"markdown\":\"Detected subprocess function with argument tainted by an `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. The default option for `shell` is False, and this is secure by default. Consider removing the `shell=True` or setting it to False explicitely. Using `shell=False` means you have to split the command string into an array of strings for the command and its arguments. You may consider using \u0027shlex.split()\u0027 for this purpose.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use)\\n - [https://docs.python.org/3/library/subprocess.html](https://docs.python.org/3/library/subprocess.html)\\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\\n\",\"text\":\"Detected subprocess function with argument tainted by an `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. The default option for `shell` is False, and this is secure by default. Consider removing the `shell=True` or setting it to False explicitely. Using `shell=False` means you have to split the command string into an array of strings for the command and its arguments. You may consider using \u0027shlex.split()\u0027 for this purpose.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use\",\"id\":\"python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use\",\"name\":\"python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the \u0027subprocess\u0027 module instead, which is easier to use without accidentally exposing a command injection vulnerability.\"},\"help\":{\"markdown\":\"Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the \u0027subprocess\u0027 module instead, which is easier to use without accidentally exposing a command injection vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-system-call.dangerous-system-call)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the \u0027subprocess\u0027 module instead, which is easier to use without accidentally exposing a command injection vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.aws-lambda.security.dangerous-system-call.dangerous-system-call\",\"id\":\"python.aws-lambda.security.dangerous-system-call.dangerous-system-call\",\"name\":\"python.aws-lambda.security.dangerous-system-call.dangerous-system-call\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.aws-lambda.security.dangerous-system-call.dangerous-system-call\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected DynamoDB query filter that is tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\"},\"help\":{\"markdown\":\"Detected DynamoDB query filter that is tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection)\\n - [https://medium.com/appsecengineer/dynamodb-injection-1db99c2454ac](https://medium.com/appsecengineer/dynamodb-injection-1db99c2454ac)\\n\",\"text\":\"Detected DynamoDB query filter that is tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection\",\"id\":\"python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection\",\"name\":\"python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-943: Improper Neutralization of Special Elements in Data Query Logic\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, (\u0027active\u0027))`\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, (\u0027active\u0027))`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.mysql-sqli.mysql-sqli)\\n - [https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-execute.html](https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-execute.html)\\n - [https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-executemany.html](https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-executemany.html)\\n\",\"text\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, (\u0027active\u0027))`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.aws-lambda.security.mysql-sqli.mysql-sqli\",\"id\":\"python.aws-lambda.security.mysql-sqli.mysql-sqli\",\"name\":\"python.aws-lambda.security.mysql-sqli.mysql-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.aws-lambda.security.mysql-sqli.mysql-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, \u0027active\u0027)`\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, \u0027active\u0027)`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.psycopg-sqli.psycopg-sqli)\\n - [https://www.psycopg.org/docs/cursor.html#cursor.execute](https://www.psycopg.org/docs/cursor.html#cursor.execute)\\n - [https://www.psycopg.org/docs/cursor.html#cursor.executemany](https://www.psycopg.org/docs/cursor.html#cursor.executemany)\\n - [https://www.psycopg.org/docs/cursor.html#cursor.mogrify](https://www.psycopg.org/docs/cursor.html#cursor.mogrify)\\n\",\"text\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, \u0027active\u0027)`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.aws-lambda.security.psycopg-sqli.psycopg-sqli\",\"id\":\"python.aws-lambda.security.psycopg-sqli.psycopg-sqli\",\"name\":\"python.aws-lambda.security.psycopg-sqli.psycopg-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.aws-lambda.security.psycopg-sqli.psycopg-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, \u0027active\u0027)`\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, \u0027active\u0027)`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli)\\n - [https://pypi.org/project/pymssql/](https://pypi.org/project/pymssql/)\\n\",\"text\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, \u0027active\u0027)`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli\",\"id\":\"python.aws-lambda.security.pymssql-sqli.pymssql-sqli\",\"name\":\"python.aws-lambda.security.pymssql-sqli.pymssql-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.aws-lambda.security.pymssql-sqli.pymssql-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, (\u0027active\u0027))`\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, (\u0027active\u0027))`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.pymysql-sqli.pymysql-sqli)\\n - [https://pypi.org/project/PyMySQL/#id4](https://pypi.org/project/PyMySQL/#id4)\\n\",\"text\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, (\u0027active\u0027))`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.aws-lambda.security.pymysql-sqli.pymysql-sqli\",\"id\":\"python.aws-lambda.security.pymysql-sqli.pymysql-sqli\",\"name\":\"python.aws-lambda.security.pymysql-sqli.pymysql-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.aws-lambda.security.pymysql-sqli.pymysql-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = ?\u0027, \u0027active\u0027)`\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = ?\u0027, \u0027active\u0027)`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli)\\n - [https://docs.sqlalchemy.org/en/14/core/connections.html#sqlalchemy.engine.Connection.execute](https://docs.sqlalchemy.org/en/14/core/connections.html#sqlalchemy.engine.Connection.execute)\\n\",\"text\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = ?\u0027, \u0027active\u0027)`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli\",\"id\":\"python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli\",\"name\":\"python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected the use of `exec/eval`.This can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\"},\"help\":{\"markdown\":\"Detected the use of `exec/eval`.This can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-code-exec.tainted-code-exec)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected the use of `exec/eval`.This can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.aws-lambda.security.tainted-code-exec.tainted-code-exec\",\"id\":\"python.aws-lambda.security.tainted-code-exec.tainted-code-exec\",\"name\":\"python.aws-lambda.security.tainted-code-exec.tainted-code-exec\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.aws-lambda.security.tainted-code-exec.tainted-code-exec\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\"},\"help\":{\"markdown\":\"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response\",\"id\":\"python.aws-lambda.security.tainted-html-response.tainted-html-response\",\"name\":\"python.aws-lambda.security.tainted-html-response.tainted-html-response\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.aws-lambda.security.tainted-html-response.tainted-html-response\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\"},\"help\":{\"markdown\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-html-string.tainted-html-string)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.aws-lambda.security.tainted-html-string.tainted-html-string\",\"id\":\"python.aws-lambda.security.tainted-html-string.tainted-html-string\",\"name\":\"python.aws-lambda.security.tainted-html-string.tainted-html-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.aws-lambda.security.tainted-html-string.tainted-html-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\"},\"help\":{\"markdown\":\"Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization)\\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\\n\",\"text\":\"Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization\",\"id\":\"python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization\",\"name\":\"python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\"},\"help\":{\"markdown\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-sql-string.tainted-sql-string)\\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\\n\",\"text\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.aws-lambda.security.tainted-sql-string.tainted-sql-string\",\"id\":\"python.aws-lambda.security.tainted-sql-string.tainted-sql-string\",\"name\":\"python.aws-lambda.security.tainted-sql-string.tainted-sql-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.aws-lambda.security.tainted-sql-string.tainted-sql-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\"},\"help\":{\"markdown\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.boto3.security.hardcoded-token.hardcoded-token)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\\n - [https://bento.dev/checks/boto3/hardcoded-access-token/](https://bento.dev/checks/boto3/hardcoded-access-token/)\\n - [https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/](https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/)\\n\",\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.boto3.security.hardcoded-token.hardcoded-token\",\"id\":\"python.boto3.security.hardcoded-token.hardcoded-token\",\"name\":\"python.boto3.security.hardcoded-token.hardcoded-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.boto3.security.hardcoded-token.hardcoded-token\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Potential empty AES encryption key. Using an empty key in AES encryption can result in weak encryption and may allow attackers to easily decrypt sensitive data. Ensure that a strong, non-empty key is used for AES encryption.\"},\"help\":{\"markdown\":\"Potential empty AES encryption key. Using an empty key in AES encryption can result in weak encryption and may allow attackers to easily decrypt sensitive data. Ensure that a strong, non-empty key is used for AES encryption.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.empty-aes-key.empty-aes-key)\\n - [https://cwe.mitre.org/data/definitions/327.html](https://cwe.mitre.org/data/definitions/327.html)\\n - [https://cwe.mitre.org/data/definitions/310.html](https://cwe.mitre.org/data/definitions/310.html)\\n\",\"text\":\"Potential empty AES encryption key. Using an empty key in AES encryption can result in weak encryption and may allow attackers to easily decrypt sensitive data. Ensure that a strong, non-empty key is used for AES encryption.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.cryptography.security.empty-aes-key.empty-aes-key\",\"id\":\"python.cryptography.security.empty-aes-key.empty-aes-key\",\"name\":\"python.cryptography.security.empty-aes-key.empty-aes-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-310: Cryptographic Issues\",\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A6:2017 misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.cryptography.security.empty-aes-key.empty-aes-key\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. Its use is strongly discouraged. ARC4 does not use mode constructions. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use the `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\"},\"help\":{\"markdown\":\"ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. Its use is strongly discouraged. ARC4 does not use mode constructions. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use the `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4)\\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers)\\n\",\"text\":\"ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. Its use is strongly discouraged. ARC4 does not use mode constructions. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use the `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4\",\"id\":\"python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4\",\"name\":\"python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as AES. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\"},\"help\":{\"markdown\":\"Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as AES. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish)\\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers)\\n - [https://tools.ietf.org/html/rfc5469](https://tools.ietf.org/html/rfc5469)\\n\",\"text\":\"Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as AES. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish\",\"id\":\"python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish\",\"name\":\"python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\"},\"help\":{\"markdown\":\"IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea)\\n - [https://tools.ietf.org/html/rfc5469](https://tools.ietf.org/html/rfc5469)\\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA)\\n\",\"text\":\"IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea\",\"id\":\"python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea\",\"name\":\"python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"ECB (Electronic Code Book) is the simplest mode of operation for block ciphers. Each block of data is encrypted in the same way. This means identical plaintext blocks will always result in identical ciphertext blocks, which can leave significant patterns in the output. Use a different, cryptographically strong mode instead, such as GCM.\"},\"help\":{\"markdown\":\"ECB (Electronic Code Book) is the simplest mode of operation for block ciphers. Each block of data is encrypted in the same way. This means identical plaintext blocks will always result in identical ciphertext blocks, which can leave significant patterns in the output. Use a different, cryptographically strong mode instead, such as GCM.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb)\\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#insecure-modes](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#insecure-modes)\\n - [https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption](https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption)\\n\",\"text\":\"ECB (Electronic Code Book) is the simplest mode of operation for block ciphers. Each block of data is encrypted in the same way. This means identical plaintext blocks will always result in identical ciphertext blocks, which can leave significant patterns in the output. Use a different, cryptographically strong mode instead, such as GCM.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb\",\"id\":\"python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb\",\"name\":\"python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\"},\"help\":{\"markdown\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5)\\n - [https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#md5](https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#md5)\\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\\n\",\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5\",\"id\":\"python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5\",\"name\":\"python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\"},\"help\":{\"markdown\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1)\\n - [https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sha-1](https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sha-1)\\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\\n\",\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1\",\"id\":\"python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1\",\"name\":\"python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\"},\"help\":{\"markdown\":\"Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size)\\n - [https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf](https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf)\\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/)\\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\\n\",\"text\":\"Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size\",\"id\":\"python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size\",\"name\":\"python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an insufficient curve size for EC. NIST recommends a key size of 224 or higher. For example, use \u0027ec.SECP256R1\u0027.\"},\"help\":{\"markdown\":\"Detected an insufficient curve size for EC. NIST recommends a key size of 224 or higher. For example, use \u0027ec.SECP256R1\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size)\\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#elliptic-curves](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#elliptic-curves)\\n\",\"text\":\"Detected an insufficient curve size for EC. NIST recommends a key size of 224 or higher. For example, use \u0027ec.SECP256R1\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size\",\"id\":\"python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size\",\"name\":\"python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.\"},\"help\":{\"markdown\":\"Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/)\\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\\n\",\"text\":\"Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size\",\"id\":\"python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size\",\"name\":\"python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Initializing a security context for Dask (`distributed`) without \\\"require_encryption\\\" keyword argument may silently fail to provide security.\"},\"help\":{\"markdown\":\"Initializing a security context for Dask (`distributed`) without \\\"require_encryption\\\" keyword argument may silently fail to provide security.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.distributed.security.require-encryption)\\n - [https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters](https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters)\\n\",\"text\":\"Initializing a security context for Dask (`distributed`) without \\\"require_encryption\\\" keyword argument may silently fail to provide security.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.distributed.security.require-encryption\",\"id\":\"python.distributed.security.require-encryption\",\"name\":\"python.distributed.security.require-encryption\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.distributed.security.require-encryption\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities.\"},\"help\":{\"markdown\":\"Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization)\\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\\n\",\"text\":\"Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization\",\"id\":\"python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization\",\"name\":\"python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027mark_safe()\u0027 is used to mark a string as \\\"safe\\\" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use \u0027django.utils.html.format_html()\u0027 to build HTML for rendering instead.\"},\"help\":{\"markdown\":\"\u0027mark_safe()\u0027 is used to mark a string as \\\"safe\\\" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use \u0027django.utils.html.format_html()\u0027 to build HTML for rendering instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.avoid-mark-safe.avoid-mark-safe)\\n - [https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.safestring.mark_safe](https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.safestring.mark_safe)\\n - [https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.html.format_html](https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.html.format_html)\\n\",\"text\":\"\u0027mark_safe()\u0027 is used to mark a string as \\\"safe\\\" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use \u0027django.utils.html.format_html()\u0027 to build HTML for rendering instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.avoid-mark-safe.avoid-mark-safe\",\"id\":\"python.django.security.audit.avoid-mark-safe.avoid-mark-safe\",\"name\":\"python.django.security.audit.avoid-mark-safe.avoid-mark-safe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.avoid-mark-safe.avoid-mark-safe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected usage of @csrf_exempt, which indicates that there is no CSRF token set for this route. This could lead to an attacker manipulating the user\u0027s account and exfiltration of private data. Instead, create a function without this decorator.\"},\"help\":{\"markdown\":\"Detected usage of @csrf_exempt, which indicates that there is no CSRF token set for this route. This could lead to an attacker manipulating the user\u0027s account and exfiltration of private data. Instead, create a function without this decorator.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.csrf-exempt.no-csrf-exempt)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Detected usage of @csrf_exempt, which indicates that there is no CSRF token set for this route. This could lead to an attacker manipulating the user\u0027s account and exfiltration of private data. Instead, create a function without this decorator.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.csrf-exempt.no-csrf-exempt\",\"id\":\"python.django.security.audit.csrf-exempt.no-csrf-exempt\",\"name\":\"python.django.security.audit.csrf-exempt.no-csrf-exempt\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-352: Cross-Site Request Forgery (CSRF)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.csrf-exempt.no-csrf-exempt\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a Custom Expression \u0027\u0027$EXPRESSION\u0027\u0027 calling \u0027\u0027as_sql(...).\u0027\u0027 This could lead to SQL injection, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.\"},\"help\":{\"markdown\":\"Detected a Custom Expression \u0027\u0027$EXPRESSION\u0027\u0027 calling \u0027\u0027as_sql(...).\u0027\u0027 This could lead to SQL injection, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql)\\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.Func.as_sql](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.Func.as_sql)\\n - [https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/](https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/)\\n\",\"text\":\"Detected a Custom Expression \u0027\u0027$EXPRESSION\u0027\u0027 calling \u0027\u0027as_sql(...).\u0027\u0027 This could lead to SQL injection, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql\",\"id\":\"python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql\",\"name\":\"python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Django REST framework configuration is missing default rate- limiting options. This could inadvertently allow resource starvation or Denial of Service (DoS) attacks. Add \u0027DEFAULT_THROTTLE_CLASSES\u0027 and \u0027DEFAULT_THROTTLE_RATES\u0027 to add rate-limiting to your application.\"},\"help\":{\"markdown\":\"Django REST framework configuration is missing default rate- limiting options. This could inadvertently allow resource starvation or Denial of Service (DoS) attacks. Add \u0027DEFAULT_THROTTLE_CLASSES\u0027 and \u0027DEFAULT_THROTTLE_RATES\u0027 to add rate-limiting to your application.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config)\\n - [https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy](https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy)\\n\",\"text\":\"Django REST framework configuration is missing default rate- limiting options. This could inadvertently allow resource starvation or Denial of Service (DoS) attacks. Add \u0027DEFAULT_THROTTLE_CLASSES\u0027 and \u0027DEFAULT_THROTTLE_RATES\u0027 to add rate-limiting to your application.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config\",\"id\":\"python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config\",\"name\":\"python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-770: Allocation of Resources Without Limits or Throttling\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found extension of custom expression: $CLASS. Extending expressions in this way could inadvertently lead to a SQL injection vulnerability, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.\"},\"help\":{\"markdown\":\"Found extension of custom expression: $CLASS. Extending expressions in this way could inadvertently lead to a SQL injection vulnerability, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.extends-custom-expression.extends-custom-expression)\\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#avoiding-sql-injection](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#avoiding-sql-injection)\\n - [https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/](https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/)\\n\",\"text\":\"Found extension of custom expression: $CLASS. Extending expressions in this way could inadvertently lead to a SQL injection vulnerability, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.extends-custom-expression.extends-custom-expression\",\"id\":\"python.django.security.audit.extends-custom-expression.extends-custom-expression\",\"name\":\"python.django.security.audit.extends-custom-expression.extends-custom-expression\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.extends-custom-expression.extends-custom-expression\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"QuerySet.extra\u0027 does not provide safeguards against SQL injection and requires very careful use. SQL injection can lead to critical data being stolen by attackers. Instead of using \u0027.extra\u0027, use the Django ORM and parameterized queries such as `People.objects.get(name=\u0027Bob\u0027)`.\"},\"help\":{\"markdown\":\"QuerySet.extra\u0027 does not provide safeguards against SQL injection and requires very careful use. SQL injection can lead to critical data being stolen by attackers. Instead of using \u0027.extra\u0027, use the Django ORM and parameterized queries such as `People.objects.get(name=\u0027Bob\u0027)`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.query-set-extra.avoid-query-set-extra)\\n - [https://docs.djangoproject.com/en/3.0/ref/models/querysets/#django.db.models.query.QuerySet.extra](https://docs.djangoproject.com/en/3.0/ref/models/querysets/#django.db.models.query.QuerySet.extra)\\n - [https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/](https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/)\\n\",\"text\":\"QuerySet.extra\u0027 does not provide safeguards against SQL injection and requires very careful use. SQL injection can lead to critical data being stolen by attackers. Instead of using \u0027.extra\u0027, use the Django ORM and parameterized queries such as `People.objects.get(name=\u0027Bob\u0027)`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.query-set-extra.avoid-query-set-extra\",\"id\":\"python.django.security.audit.query-set-extra.avoid-query-set-extra\",\"name\":\"python.django.security.audit.query-set-extra.avoid-query-set-extra\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.query-set-extra.avoid-query-set-extra\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected the use of \u0027RawSQL\u0027 or \u0027raw\u0027 indicating the execution of a non-parameterized SQL query. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use Django ORM and parameterized queries before raw SQL. An example of using the Django ORM is: `People.objects.get(name=\u0027Bob\u0027)`\"},\"help\":{\"markdown\":\"Detected the use of \u0027RawSQL\u0027 or \u0027raw\u0027 indicating the execution of a non-parameterized SQL query. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use Django ORM and parameterized queries before raw SQL. An example of using the Django ORM is: `People.objects.get(name=\u0027Bob\u0027)`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.raw-query.avoid-raw-sql)\\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#raw-sql-expressions](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#raw-sql-expressions)\\n - [https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/](https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/)\\n\",\"text\":\"Detected the use of \u0027RawSQL\u0027 or \u0027raw\u0027 indicating the execution of a non-parameterized SQL query. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use Django ORM and parameterized queries before raw SQL. An example of using the Django ORM is: `People.objects.get(name=\u0027Bob\u0027)`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.raw-query.avoid-raw-sql\",\"id\":\"python.django.security.audit.raw-query.avoid-raw-sql\",\"name\":\"python.django.security.audit.raw-query.avoid-raw-sql\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.raw-query.avoid-raw-sql\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Django cookies should be handled securely by setting secure=True, httponly=True, and samesite=\u0027Lax\u0027 in response.set_cookie(...). If your situation calls for different settings, explicitly disable the setting. If you want to send the cookie over http, set secure=False. If you want to let client-side JavaScript read the cookie, set httponly=False. If you want to attach cookies to requests for external sites, set samesite=None.\"},\"help\":{\"markdown\":\"Django cookies should be handled securely by setting secure=True, httponly=True, and samesite=\u0027Lax\u0027 in response.set_cookie(...). If your situation calls for different settings, explicitly disable the setting. If you want to send the cookie over http, set secure=False. If you want to let client-side JavaScript read the cookie, set httponly=False. If you want to attach cookies to requests for external sites, set samesite=None.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.secure-cookies.django-secure-set-cookie)\\n - [https://docs.djangoproject.com/en/3.0/ref/request-response/#django.http.HttpResponse.set_cookie](https://docs.djangoproject.com/en/3.0/ref/request-response/#django.http.HttpResponse.set_cookie)\\n - [https://semgrep.dev/blog/2020/bento-check-keeping-cookies-safe-in-flask/](https://semgrep.dev/blog/2020/bento-check-keeping-cookies-safe-in-flask/)\\n - [https://bento.dev/checks/flask/secure-set-cookie/](https://bento.dev/checks/flask/secure-set-cookie/)\\n\",\"text\":\"Django cookies should be handled securely by setting secure=True, httponly=True, and samesite=\u0027Lax\u0027 in response.set_cookie(...). If your situation calls for different settings, explicitly disable the setting. If you want to send the cookie over http, set secure=False. If you want to let client-side JavaScript read the cookie, set httponly=False. If you want to attach cookies to requests for external sites, set samesite=None.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.secure-cookies.django-secure-set-cookie\",\"id\":\"python.django.security.audit.secure-cookies.django-secure-set-cookie\",\"name\":\"python.django.security.audit.secure-cookies.django-secure-set-cookie\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.secure-cookies.django-secure-set-cookie\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a debug template tag in a Django template. This dumps debugging information to the page when debug mode is enabled. Showing debug information to users is dangerous because it may reveal information about your environment that malicious actors can use to gain access to the system. Remove the debug tag.\"},\"help\":{\"markdown\":\"Detected a debug template tag in a Django template. This dumps debugging information to the page when debug mode is enabled. Showing debug information to users is dangerous because it may reveal information about your environment that malicious actors can use to gain access to the system. Remove the debug tag.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.templates.debug-template-tag.debug-template-tag)\\n - [https://docs.djangoproject.com/en/4.2/ref/templates/builtins/#debug](https://docs.djangoproject.com/en/4.2/ref/templates/builtins/#debug)\\n - [https://stackoverflow.com/questions/2213977/django-debug-display-all-variables-of-a-page](https://stackoverflow.com/questions/2213977/django-debug-display-all-variables-of-a-page)\\n\",\"text\":\"Detected a debug template tag in a Django template. This dumps debugging information to the page when debug mode is enabled. Showing debug information to users is dangerous because it may reveal information about your environment that malicious actors can use to gain access to the system. Remove the debug tag.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.templates.debug-template-tag.debug-template-tag\",\"id\":\"python.django.security.audit.templates.debug-template-tag.debug-template-tag\",\"name\":\"python.django.security.audit.templates.debug-template-tag.debug-template-tag\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-489: Active Debug Code\",\"LOW CONFIDENCE\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.templates.debug-template-tag.debug-template-tag\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The password on \u0027$MODEL\u0027 is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information.\"},\"help\":{\"markdown\":\"The password on \u0027$MODEL\u0027 is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password)\\n - [https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation](https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation)\\n\",\"text\":\"The password on \u0027$MODEL\u0027 is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password\",\"id\":\"python.django.security.audit.unvalidated-password.unvalidated-password\",\"name\":\"python.django.security.audit.unvalidated-password.unvalidated-password\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-521: Weak Password Requirements\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.unvalidated-password.unvalidated-password\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found a class extending \u0027SafeString\u0027, \u0027SafeText\u0027 or \u0027SafeData\u0027. These classes are for bypassing the escaping engine built in to Django and should not be used directly. Improper use of this class exposes your application to cross-site scripting (XSS) vulnerabilities. If you need this functionality, use \u0027mark_safe\u0027 instead and ensure no user data can reach it.\"},\"help\":{\"markdown\":\"Found a class extending \u0027SafeString\u0027, \u0027SafeText\u0027 or \u0027SafeData\u0027. These classes are for bypassing the escaping engine built in to Django and should not be used directly. Improper use of this class exposes your application to cross-site scripting (XSS) vulnerabilities. If you need this functionality, use \u0027mark_safe\u0027 instead and ensure no user data can reach it.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.class-extends-safestring.class-extends-safestring)\\n - [https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping](https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping)\\n - [https://github.com/django/django/blob/f138e75910b1e541686c4dce3d8f467f6fc234cb/django/utils/safestring.py#L11](https://github.com/django/django/blob/f138e75910b1e541686c4dce3d8f467f6fc234cb/django/utils/safestring.py#L11)\\n\",\"text\":\"Found a class extending \u0027SafeString\u0027, \u0027SafeText\u0027 or \u0027SafeData\u0027. These classes are for bypassing the escaping engine built in to Django and should not be used directly. Improper use of this class exposes your application to cross-site scripting (XSS) vulnerabilities. If you need this functionality, use \u0027mark_safe\u0027 instead and ensure no user data can reach it.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.xss.class-extends-safestring.class-extends-safestring\",\"id\":\"python.django.security.audit.xss.class-extends-safestring.class-extends-safestring\",\"name\":\"python.django.security.audit.xss.class-extends-safestring.class-extends-safestring\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.xss.class-extends-safestring.class-extends-safestring\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove \u0027autoescape: False\u0027 or set it to \u0027True\u0027.\"},\"help\":{\"markdown\":\"Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove \u0027autoescape: False\u0027 or set it to \u0027True\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off)\\n - [https://docs.djangoproject.com/en/3.1/ref/settings/#templates](https://docs.djangoproject.com/en/3.1/ref/settings/#templates)\\n - [https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates)\\n\",\"text\":\"Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove \u0027autoescape: False\u0027 or set it to \u0027True\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off\",\"id\":\"python.django.security.audit.xss.context-autoescape-off.context-autoescape-off\",\"name\":\"python.django.security.audit.xss.context-autoescape-off.context-autoescape-off\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.xss.context-autoescape-off.context-autoescape-off\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected data rendered directly to the end user via \u0027HttpResponse\u0027 or a similar object. This bypasses Django\u0027s built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Django\u0027s template engine to safely render HTML.\"},\"help\":{\"markdown\":\"Detected data rendered directly to the end user via \u0027HttpResponse\u0027 or a similar object. This bypasses Django\u0027s built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Django\u0027s template engine to safely render HTML.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse)\\n - [https://docs.djangoproject.com/en/3.1/intro/tutorial03/#a-shortcut-render](https://docs.djangoproject.com/en/3.1/intro/tutorial03/#a-shortcut-render)\\n - [https://docs.djangoproject.com/en/3.1/topics/http/shortcuts/#render](https://docs.djangoproject.com/en/3.1/topics/http/shortcuts/#render)\\n\",\"text\":\"Detected data rendered directly to the end user via \u0027HttpResponse\u0027 or a similar object. This bypasses Django\u0027s built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Django\u0027s template engine to safely render HTML.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse\",\"id\":\"python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse\",\"name\":\"python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected Django filters flagged with \u0027is_safe\u0027. \u0027is_safe\u0027 tells Django not to apply escaping on the value returned by this filter (although the input is escaped). Used improperly, \u0027is_safe\u0027 could expose your application to cross-site scripting (XSS) vulnerabilities. Ensure this filter does not 1) add HTML characters, 2) remove characters, or 3) use external data in any way. Consider instead removing \u0027is_safe\u0027 and explicitly marking safe content with \u0027mark_safe()\u0027.\"},\"help\":{\"markdown\":\"Detected Django filters flagged with \u0027is_safe\u0027. \u0027is_safe\u0027 tells Django not to apply escaping on the value returned by this filter (although the input is escaped). Used improperly, \u0027is_safe\u0027 could expose your application to cross-site scripting (XSS) vulnerabilities. Ensure this filter does not 1) add HTML characters, 2) remove characters, or 3) use external data in any way. Consider instead removing \u0027is_safe\u0027 and explicitly marking safe content with \u0027mark_safe()\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe)\\n - [https://docs.djangoproject.com/en/3.1/topics/security/#cross-site-scripting-xss-protection](https://docs.djangoproject.com/en/3.1/topics/security/#cross-site-scripting-xss-protection)\\n - [https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping](https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping)\\n - [https://stackoverflow.com/questions/7665512/why-use-is-safe](https://stackoverflow.com/questions/7665512/why-use-is-safe)\\n\",\"text\":\"Detected Django filters flagged with \u0027is_safe\u0027. \u0027is_safe\u0027 tells Django not to apply escaping on the value returned by this filter (although the input is escaped). Used improperly, \u0027is_safe\u0027 could expose your application to cross-site scripting (XSS) vulnerabilities. Ensure this filter does not 1) add HTML characters, 2) remove characters, or 3) use external data in any way. Consider instead removing \u0027is_safe\u0027 and explicitly marking safe content with \u0027mark_safe()\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe\",\"id\":\"python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe\",\"name\":\"python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Passing a formatted string as first parameter to `format_html` disables the proper encoding of variables. Any HTML in the first parameter is not encoded. Using a formatted string as first parameter obscures which parameters are encoded. Correct use of `format_html` is passing a static format string as first parameter, and the variables to substitute as subsequent parameters.\"},\"help\":{\"markdown\":\"Passing a formatted string as first parameter to `format_html` disables the proper encoding of variables. Any HTML in the first parameter is not encoded. Using a formatted string as first parameter obscures which parameters are encoded. Correct use of `format_html` is passing a static format string as first parameter, and the variables to substitute as subsequent parameters.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter)\\n - [https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html](https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html)\\n\",\"text\":\"Passing a formatted string as first parameter to `format_html` disables the proper encoding of variables. Any HTML in the first parameter is not encoded. Using a formatted string as first parameter obscures which parameters are encoded. Correct use of `format_html` is passing a static format string as first parameter, and the variables to substitute as subsequent parameters.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter\",\"id\":\"python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter\",\"name\":\"python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Autoescape is globally disbaled for this Django application. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove \u0027autoescape: False\u0027 or set it to \u0027True\u0027.\"},\"help\":{\"markdown\":\"Autoescape is globally disbaled for this Django application. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove \u0027autoescape: False\u0027 or set it to \u0027True\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.global-autoescape-off.global-autoescape-off)\\n - [https://docs.djangoproject.com/en/3.1/ref/settings/#templates](https://docs.djangoproject.com/en/3.1/ref/settings/#templates)\\n - [https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates)\\n\",\"text\":\"Autoescape is globally disbaled for this Django application. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove \u0027autoescape: False\u0027 or set it to \u0027True\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.xss.global-autoescape-off.global-autoescape-off\",\"id\":\"python.django.security.audit.xss.global-autoescape-off.global-autoescape-off\",\"name\":\"python.django.security.audit.xss.global-autoescape-off.global-autoescape-off\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.xss.global-autoescape-off.global-autoescape-off\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The `__html__` method indicates to the Django template engine that the value is \u0027safe\u0027 for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.\"},\"help\":{\"markdown\":\"The `__html__` method indicates to the Django template engine that the value is \u0027safe\u0027 for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.html-magic-method.html-magic-method)\\n - [https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#conditional_escape](https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#conditional_escape)\\n - [https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5](https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5)\\n\",\"text\":\"The `__html__` method indicates to the Django template engine that the value is \u0027safe\u0027 for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.xss.html-magic-method.html-magic-method\",\"id\":\"python.django.security.audit.xss.html-magic-method.html-magic-method\",\"name\":\"python.django.security.audit.xss.html-magic-method.html-magic-method\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.xss.html-magic-method.html-magic-method\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"`html_safe()` add the `__html__` magic method to the provided class. The `__html__` method indicates to the Django template engine that the value is \u0027safe\u0027 for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.\"},\"help\":{\"markdown\":\"`html_safe()` add the `__html__` magic method to the provided class. The `__html__` method indicates to the Django template engine that the value is \u0027safe\u0027 for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.html-safe.html-safe)\\n - [https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#html_safe](https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#html_safe)\\n - [https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5](https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5)\\n\",\"text\":\"`html_safe()` add the `__html__` magic method to the provided class. The `__html__` method indicates to the Django template engine that the value is \u0027safe\u0027 for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.xss.html-safe.html-safe\",\"id\":\"python.django.security.audit.xss.html-safe.html-safe\",\"name\":\"python.django.security.audit.xss.html-safe.html-safe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.xss.html-safe.html-safe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a template block where autoescaping is explicitly disabled with \u0027{% autoescape off %}\u0027. This allows rendering of raw HTML in this segment. Turn autoescaping on to prevent cross-site scripting (XSS). If you must do this, consider instead, using `mark_safe` in Python code.\"},\"help\":{\"markdown\":\"Detected a template block where autoescaping is explicitly disabled with \u0027{% autoescape off %}\u0027. This allows rendering of raw HTML in this segment. Turn autoescaping on to prevent cross-site scripting (XSS). If you must do this, consider instead, using `mark_safe` in Python code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-autoescape-off.template-autoescape-off)\\n - [https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#autoescape](https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#autoescape)\\n\",\"text\":\"Detected a template block where autoescaping is explicitly disabled with \u0027{% autoescape off %}\u0027. This allows rendering of raw HTML in this segment. Turn autoescaping on to prevent cross-site scripting (XSS). If you must do this, consider instead, using `mark_safe` in Python code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.xss.template-autoescape-off.template-autoescape-off\",\"id\":\"python.django.security.audit.xss.template-autoescape-off.template-autoescape-off\",\"name\":\"python.django.security.audit.xss.template-autoescape-off.template-autoescape-off\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.xss.template-autoescape-off.template-autoescape-off\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\"},\"help\":{\"markdown\":\"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape)\\n - [https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates](https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates)\\n - [https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code](https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code)\\n\",\"text\":\"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape\",\"id\":\"python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape\",\"name\":\"python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\"},\"help\":{\"markdown\":\"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape)\\n - [https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates](https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates)\\n - [https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code](https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code)\\n\",\"text\":\"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape\",\"id\":\"python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape\",\"name\":\"python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a template variable where autoescaping is explicitly disabled with \u0027| safeseq\u0027 filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability. If you must do this, use `mark_safe` in your Python code.\"},\"help\":{\"markdown\":\"Detected a template variable where autoescaping is explicitly disabled with \u0027| safeseq\u0027 filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability. If you must do this, use `mark_safe` in your Python code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq)\\n - [https://docs.djangoproject.com/en/3.0/ref/templates/builtins/#safeseq](https://docs.djangoproject.com/en/3.0/ref/templates/builtins/#safeseq)\\n\",\"text\":\"Detected a template variable where autoescaping is explicitly disabled with \u0027| safeseq\u0027 filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability. If you must do this, use `mark_safe` in your Python code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq\",\"id\":\"python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq\",\"name\":\"python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.\"},\"help\":{\"markdown\":\"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token)\\n - [https://docs.djangoproject.com/en/4.2/howto/csrf/](https://docs.djangoproject.com/en/4.2/howto/csrf/)\\n\",\"text\":\"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token\",\"id\":\"python.django.security.django-no-csrf-token.django-no-csrf-token\",\"name\":\"python.django.security.django-no-csrf-token.django-no-csrf-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-352: Cross-Site Request Forgery (CSRF)\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.django-no-csrf-token.django-no-csrf-token\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data\"},\"help\":{\"markdown\":\"Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid)\\n - [https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data](https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data)\\n\",\"text\":\"Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid\",\"id\":\"python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid\",\"name\":\"python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-20: Improper Input Validation\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Using \u0027globals()\u0027 as a context to \u0027render(...)\u0027 is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use \u0027globals()\u0027. Instead, specify each variable in a dictionary or \u0027django.template.Context\u0027 object, like \u0027{\\\"var1\\\": \\\"hello\\\"}\u0027 and use that instead.\"},\"help\":{\"markdown\":\"Using \u0027globals()\u0027 as a context to \u0027render(...)\u0027 is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use \u0027globals()\u0027. Instead, specify each variable in a dictionary or \u0027django.template.Context\u0027 object, like \u0027{\\\"var1\\\": \\\"hello\\\"}\u0027 and use that instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.globals-as-template-context.globals-as-template-context)\\n - [https://docs.djangoproject.com/en/3.2/ref/settings/#templates](https://docs.djangoproject.com/en/3.2/ref/settings/#templates)\\n - [https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates)\\n - [https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context](https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context)\\n\",\"text\":\"Using \u0027globals()\u0027 as a context to \u0027render(...)\u0027 is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use \u0027globals()\u0027. Instead, specify each variable in a dictionary or \u0027django.template.Context\u0027 object, like \u0027{\\\"var1\\\": \\\"hello\\\"}\u0027 and use that instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.globals-as-template-context.globals-as-template-context\",\"id\":\"python.django.security.globals-as-template-context.globals-as-template-context\",\"name\":\"python.django.security.globals-as-template-context.globals-as-template-context\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-96: Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.globals-as-template-context.globals-as-template-context\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The Django secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Django secret key can be obtained by attackers, through the HashIDs.\"},\"help\":{\"markdown\":\"The Django secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Django secret key can be obtained by attackers, through the HashIDs.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.hashids-with-django-secret.hashids-with-django-secret)\\n - [https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECRET_KEY](https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECRET_KEY)\\n - [http://carnage.github.io/2015/08/cryptanalysis-of-hashids](http://carnage.github.io/2015/08/cryptanalysis-of-hashids)\\n\",\"text\":\"The Django secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Django secret key can be obtained by attackers, through the HashIDs.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.hashids-with-django-secret.hashids-with-django-secret\",\"id\":\"python.django.security.hashids-with-django-secret.hashids-with-django-secret\",\"name\":\"python.django.security.hashids-with-django-secret.hashids-with-django-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 \u2013 Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.hashids-with-django-secret.hashids-with-django-secret\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found request data as an index to \u0027globals()\u0027. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use \u0027globals()\u0027.\"},\"help\":{\"markdown\":\"Found request data as an index to \u0027globals()\u0027. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use \u0027globals()\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution)\\n - [https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186](https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186)\\n\",\"text\":\"Found request data as an index to \u0027globals()\u0027. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use \u0027globals()\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution\",\"id\":\"python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution\",\"name\":\"python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-96: Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found user data in a call to \u0027eval\u0027. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information.\"},\"help\":{\"markdown\":\"Found user data in a call to \u0027eval\u0027. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string)\\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\\n\",\"text\":\"Found user data in a call to \u0027eval\u0027. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string\",\"id\":\"python.django.security.injection.code.user-eval-format-string.user-eval-format-string\",\"name\":\"python.django.security.injection.code.user-eval-format-string.user-eval-format-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.code.user-eval-format-string.user-eval-format-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found user data in a call to \u0027eval\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\"},\"help\":{\"markdown\":\"Found user data in a call to \u0027eval\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-eval.user-eval)\\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\\n\",\"text\":\"Found user data in a call to \u0027eval\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.code.user-eval.user-eval\",\"id\":\"python.django.security.injection.code.user-eval.user-eval\",\"name\":\"python.django.security.injection.code.user-eval.user-eval\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.code.user-eval.user-eval\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found user data in a call to \u0027exec\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\"},\"help\":{\"markdown\":\"Found user data in a call to \u0027exec\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-exec-format-string.user-exec-format-string)\\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\\n\",\"text\":\"Found user data in a call to \u0027exec\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.code.user-exec-format-string.user-exec-format-string\",\"id\":\"python.django.security.injection.code.user-exec-format-string.user-exec-format-string\",\"name\":\"python.django.security.injection.code.user-exec-format-string.user-exec-format-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.code.user-exec-format-string.user-exec-format-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found user data in a call to \u0027exec\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\"},\"help\":{\"markdown\":\"Found user data in a call to \u0027exec\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-exec.user-exec)\\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\\n\",\"text\":\"Found user data in a call to \u0027exec\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.code.user-exec.user-exec\",\"id\":\"python.django.security.injection.code.user-exec.user-exec\",\"name\":\"python.django.security.injection.code.user-exec.user-exec\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.code.user-exec.user-exec\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the \u0027subprocess\u0027 module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information.\"},\"help\":{\"markdown\":\"Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the \u0027subprocess\u0027 module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.command.command-injection-os-system.command-injection-os-system)\\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\\n\",\"text\":\"Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the \u0027subprocess\u0027 module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.command.command-injection-os-system.command-injection-os-system\",\"id\":\"python.django.security.injection.command.command-injection-os-system.command-injection-os-system\",\"name\":\"python.django.security.injection.command.command-injection-os-system.command-injection-os-system\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.command.command-injection-os-system.command-injection-os-system\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\"},\"help\":{\"markdown\":\"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.command.subprocess-injection.subprocess-injection)\\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\\n\",\"text\":\"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.command.subprocess-injection.subprocess-injection\",\"id\":\"python.django.security.injection.command.subprocess-injection.subprocess-injection\",\"name\":\"python.django.security.injection.command.subprocess-injection.subprocess-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.command.subprocess-injection.subprocess-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found request data in an EmailMessage that is set to use HTML. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\"},\"help\":{\"markdown\":\"Found request data in an EmailMessage that is set to use HTML. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.email.xss-html-email-body.xss-html-email-body)\\n - [https://www.damonkohler.com/2008/12/email-injection.html](https://www.damonkohler.com/2008/12/email-injection.html)\\n\",\"text\":\"Found request data in an EmailMessage that is set to use HTML. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.email.xss-html-email-body.xss-html-email-body\",\"id\":\"python.django.security.injection.email.xss-html-email-body.xss-html-email-body\",\"name\":\"python.django.security.injection.email.xss-html-email-body.xss-html-email-body\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.email.xss-html-email-body.xss-html-email-body\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found request data in \u0027send_mail(...)\u0027 that uses \u0027html_message\u0027. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\"},\"help\":{\"markdown\":\"Found request data in \u0027send_mail(...)\u0027 that uses \u0027html_message\u0027. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message)\\n - [https://www.damonkohler.com/2008/12/email-injection.html](https://www.damonkohler.com/2008/12/email-injection.html)\\n\",\"text\":\"Found request data in \u0027send_mail(...)\u0027 that uses \u0027html_message\u0027. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message\",\"id\":\"python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message\",\"name\":\"python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Mass assignment detected. This can result in assignment to model fields that are unintended and can be exploited by an attacker. Instead of using \u0027**request.$W\u0027, assign each field you want to edit individually to prevent mass assignment. You can read more about mass assignment at https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html.\"},\"help\":{\"markdown\":\"Mass assignment detected. This can result in assignment to model fields that are unintended and can be exploited by an attacker. Instead of using \u0027**request.$W\u0027, assign each field you want to edit individually to prevent mass assignment. You can read more about mass assignment at https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.mass-assignment.mass-assignment)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\\n\",\"text\":\"Mass assignment detected. This can result in assignment to model fields that are unintended and can be exploited by an attacker. Instead of using \u0027**request.$W\u0027, assign each field you want to edit individually to prevent mass assignment. You can read more about mass assignment at https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.mass-assignment.mass-assignment\",\"id\":\"python.django.security.injection.mass-assignment.mass-assignment\",\"name\":\"python.django.security.injection.mass-assignment.mass-assignment\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.mass-assignment.mass-assignment\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Data from request ($DATA) is passed to redirect(). This is an open redirect and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url(). See https://cwe.mitre.org/data/definitions/601.html for more information.\"},\"help\":{\"markdown\":\"Data from request ($DATA) is passed to redirect(). This is an open redirect and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url(). See https://cwe.mitre.org/data/definitions/601.html for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.open-redirect.open-redirect)\\n - [https://www.djm.org.uk/posts/djangos-little-protections-word-redirect-dangers/](https://www.djm.org.uk/posts/djangos-little-protections-word-redirect-dangers/)\\n - [https://github.com/django/django/blob/d1b7bd030b1db111e1a3505b1fc029ab964382cc/django/utils/http.py#L231](https://github.com/django/django/blob/d1b7bd030b1db111e1a3505b1fc029ab964382cc/django/utils/http.py#L231)\\n\",\"text\":\"Data from request ($DATA) is passed to redirect(). This is an open redirect and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url(). See https://cwe.mitre.org/data/definitions/601.html for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.open-redirect.open-redirect\",\"id\":\"python.django.security.injection.open-redirect.open-redirect\",\"name\":\"python.django.security.injection.open-redirect.open-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.open-redirect.open-redirect\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Data from request is passed to a file name `$FILE`. This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\"},\"help\":{\"markdown\":\"Data from request is passed to a file name `$FILE`. This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name)\\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\\n\",\"text\":\"Data from request is passed to a file name `$FILE`. This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name\",\"id\":\"python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name\",\"name\":\"python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library.\"},\"help\":{\"markdown\":\"Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join)\\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\\n\",\"text\":\"Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join\",\"id\":\"python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join\",\"name\":\"python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found request data in a call to \u0027open\u0027. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\"},\"help\":{\"markdown\":\"Found request data in a call to \u0027open\u0027. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open)\\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\\n\",\"text\":\"Found request data in a call to \u0027open\u0027. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open\",\"id\":\"python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open\",\"name\":\"python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which will safely render HTML instead.\"},\"help\":{\"markdown\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which will safely render HTML instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.raw-html-format.raw-html-format)\\n - [https://docs.djangoproject.com/en/3.2/topics/http/shortcuts/#render](https://docs.djangoproject.com/en/3.2/topics/http/shortcuts/#render)\\n - [https://docs.djangoproject.com/en/3.2/topics/security/#cross-site-scripting-xss-protection](https://docs.djangoproject.com/en/3.2/topics/security/#cross-site-scripting-xss-protection)\\n\",\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which will safely render HTML instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.raw-html-format.raw-html-format\",\"id\":\"python.django.security.injection.raw-html-format.raw-html-format\",\"name\":\"python.django.security.injection.raw-html-format.raw-html-format\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.raw-html-format.raw-html-format\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found user-controlled request data passed into HttpResponse. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\"},\"help\":{\"markdown\":\"Found user-controlled request data passed into HttpResponse. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse)\\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\\n\",\"text\":\"Found user-controlled request data passed into HttpResponse. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse\",\"id\":\"python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse\",\"name\":\"python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\"},\"help\":{\"markdown\":\"Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest)\\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\\n\",\"text\":\"Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest\",\"id\":\"python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest\",\"name\":\"python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse.\"},\"help\":{\"markdown\":\"Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse)\\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\\n\",\"text\":\"Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse\",\"id\":\"python.django.security.injection.request-data-fileresponse.request-data-fileresponse\",\"name\":\"python.django.security.injection.request-data-fileresponse.request-data-fileresponse\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.request-data-fileresponse.request-data-fileresponse\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found user-controlled request data passed into \u0027.write(...)\u0027. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized.\"},\"help\":{\"markdown\":\"Found user-controlled request data passed into \u0027.write(...)\u0027. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.request-data-write.request-data-write)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Found user-controlled request data passed into \u0027.write(...)\u0027. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.request-data-write.request-data-write\",\"id\":\"python.django.security.injection.request-data-write.request-data-write\",\"name\":\"python.django.security.injection.request-data-write.request-data-write\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.request-data-write.request-data-write\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User-controlled data from a request is passed to \u0027extra()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\"},\"help\":{\"markdown\":\"User-controlled data from a request is passed to \u0027extra()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where)\\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#.objects.extra](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#.objects.extra)\\n\",\"text\":\"User-controlled data from a request is passed to \u0027extra()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where\",\"id\":\"python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where\",\"name\":\"python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User-controlled data from request is passed to \u0027RawSQL()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\"},\"help\":{\"markdown\":\"User-controlled data from request is passed to \u0027RawSQL()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql)\\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL)\\n\",\"text\":\"User-controlled data from request is passed to \u0027RawSQL()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql\",\"id\":\"python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql\",\"name\":\"python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User-controlled data from a request is passed to \u0027execute()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django\u0027s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\"},\"help\":{\"markdown\":\"User-controlled data from a request is passed to \u0027execute()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django\u0027s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute)\\n - [https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection](https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection)\\n\",\"text\":\"User-controlled data from a request is passed to \u0027execute()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django\u0027s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute\",\"id\":\"python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute\",\"name\":\"python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Data that is possible user-controlled from a python request is passed to `raw()`. This could lead to SQL injection and attackers gaining access to protected information. Instead, use django\u0027s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\"},\"help\":{\"markdown\":\"Data that is possible user-controlled from a python request is passed to `raw()`. This could lead to SQL injection and attackers gaining access to protected information. Instead, use django\u0027s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw)\\n - [https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection](https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection)\\n\",\"text\":\"Data that is possible user-controlled from a python request is passed to `raw()`. This could lead to SQL injection and attackers gaining access to protected information. Instead, use django\u0027s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw\",\"id\":\"python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw\",\"name\":\"python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.\"},\"help\":{\"markdown\":\"Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests)\\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\\n\",\"text\":\"Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests\",\"id\":\"python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests\",\"name\":\"python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF), which could result in attackers gaining access to private organization data. To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\"},\"help\":{\"markdown\":\"Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF), which could result in attackers gaining access to private organization data. To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib)\\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\\n\",\"text\":\"Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF), which could result in attackers gaining access to private organization data. To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib\",\"id\":\"python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib\",\"name\":\"python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries.\"},\"help\":{\"markdown\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.tainted-sql-string.tainted-sql-string)\\n - [https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection](https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection)\\n\",\"text\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.tainted-sql-string.tainted-sql-string\",\"id\":\"python.django.security.injection.tainted-sql-string.tainted-sql-string\",\"name\":\"python.django.security.injection.tainted-sql-string.tainted-sql-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.tainted-sql-string.tainted-sql-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\"},\"help\":{\"markdown\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host\",\"id\":\"python.django.security.injection.tainted-url-host.tainted-url-host\",\"name\":\"python.django.security.injection.tainted-url-host.tainted-url-host\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.injection.tainted-url-host.tainted-url-host\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Using \u0027locals()\u0027 as a context to \u0027render(...)\u0027 is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use \u0027locals()\u0027. Instead, specify each variable in a dictionary or \u0027django.template.Context\u0027 object, like \u0027{\\\"var1\\\": \\\"hello\\\"}\u0027 and use that instead.\"},\"help\":{\"markdown\":\"Using \u0027locals()\u0027 as a context to \u0027render(...)\u0027 is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use \u0027locals()\u0027. Instead, specify each variable in a dictionary or \u0027django.template.Context\u0027 object, like \u0027{\\\"var1\\\": \\\"hello\\\"}\u0027 and use that instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.locals-as-template-context.locals-as-template-context)\\n - [https://docs.djangoproject.com/en/3.2/ref/settings/#templates](https://docs.djangoproject.com/en/3.2/ref/settings/#templates)\\n - [https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates)\\n - [https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context](https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context)\\n\",\"text\":\"Using \u0027locals()\u0027 as a context to \u0027render(...)\u0027 is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use \u0027locals()\u0027. Instead, specify each variable in a dictionary or \u0027django.template.Context\u0027 object, like \u0027{\\\"var1\\\": \\\"hello\\\"}\u0027 and use that instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.locals-as-template-context.locals-as-template-context\",\"id\":\"python.django.security.locals-as-template-context.locals-as-template-context\",\"name\":\"python.django.security.locals-as-template-context.locals-as-template-context\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-96: Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.locals-as-template-context.locals-as-template-context\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python\u0027s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string \u0027nan\u0027.\"},\"help\":{\"markdown\":\"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python\u0027s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string \u0027nan\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.nan-injection.nan-injection)\\n - [https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868](https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868)\\n - [https://blog.bitdiscovery.com/2021/12/python-nan-injection/](https://blog.bitdiscovery.com/2021/12/python-nan-injection/)\\n\",\"text\":\"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python\u0027s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string \u0027nan\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.nan-injection.nan-injection\",\"id\":\"python.django.security.nan-injection.nan-injection\",\"name\":\"python.django.security.nan-injection.nan-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-704: Incorrect Type Conversion or Cast\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.nan-injection.nan-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"\u0027$VAR\u0027 is the empty string and is being used to set the password on \u0027$MODEL\u0027. If you meant to set an unusable password, set the password to None or call \u0027set_unusable_password()\u0027.\"},\"help\":{\"markdown\":\"\u0027$VAR\u0027 is the empty string and is being used to set the password on \u0027$MODEL\u0027. If you meant to set an unusable password, set the password to None or call \u0027set_unusable_password()\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.passwords.password-empty-string.password-empty-string)\\n - [https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password](https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password)\\n\",\"text\":\"\u0027$VAR\u0027 is the empty string and is being used to set the password on \u0027$MODEL\u0027. If you meant to set an unusable password, set the password to None or call \u0027set_unusable_password()\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.passwords.password-empty-string.password-empty-string\",\"id\":\"python.django.security.passwords.password-empty-string.password-empty-string\",\"name\":\"python.django.security.passwords.password-empty-string.password-empty-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-521: Weak Password Requirements\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.passwords.password-empty-string.password-empty-string\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"\u0027$VAR\u0027 is using the empty string as its default and is being used to set the password on \u0027$MODEL\u0027. If you meant to set an unusable password, set the default value to \u0027None\u0027 or call \u0027set_unusable_password()\u0027.\"},\"help\":{\"markdown\":\"\u0027$VAR\u0027 is using the empty string as its default and is being used to set the password on \u0027$MODEL\u0027. If you meant to set an unusable password, set the default value to \u0027None\u0027 or call \u0027set_unusable_password()\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.passwords.use-none-for-password-default.use-none-for-password-default)\\n - [https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password](https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password)\\n\",\"text\":\"\u0027$VAR\u0027 is using the empty string as its default and is being used to set the password on \u0027$MODEL\u0027. If you meant to set an unusable password, set the default value to \u0027None\u0027 or call \u0027set_unusable_password()\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.django.security.passwords.use-none-for-password-default.use-none-for-password-default\",\"id\":\"python.django.security.passwords.use-none-for-password-default.use-none-for-password-default\",\"name\":\"python.django.security.passwords.use-none-for-password-default.use-none-for-password-default\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-521: Weak Password Requirements\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.django.security.passwords.use-none-for-password-default.use-none-for-password-default\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `run` or `create` method it can result in running arbitrary container.\"},\"help\":{\"markdown\":\"If unverified user data can reach the `run` or `create` method it can result in running arbitrary container.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run)\\n - [https://cwe.mitre.org/data/definitions/250.html](https://cwe.mitre.org/data/definitions/250.html)\\n\",\"text\":\"If unverified user data can reach the `run` or `create` method it can result in running arbitrary container.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run\",\"id\":\"python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run\",\"name\":\"python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-250: Execution with Unnecessary Privileges\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"CORS policy allows any origin (using wildcard \u0027*\u0027). This is insecure and should be avoided.\"},\"help\":{\"markdown\":\"CORS policy allows any origin (using wildcard \u0027*\u0027). This is insecure and should be avoided.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.security.wildcard-cors.wildcard-cors)\\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\\n - [https://cwe.mitre.org/data/definitions/942.html](https://cwe.mitre.org/data/definitions/942.html)\\n\",\"text\":\"CORS policy allows any origin (using wildcard \u0027*\u0027). This is insecure and should be avoided.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.fastapi.security.wildcard-cors.wildcard-cors\",\"id\":\"python.fastapi.security.wildcard-cors.wildcard-cors\",\"name\":\"python.fastapi.security.wildcard-cors.wildcard-cors\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-942: Permissive Cross-domain Policy with Untrusted Domains\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.fastapi.security.wildcard-cors.wildcard-cors\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Flask-caching doesn\u0027t cache query strings by default. You have to use `query_string=True`. Also you shouldn\u0027t cache verbs that can mutate state.\"},\"help\":{\"markdown\":\"Flask-caching doesn\u0027t cache query strings by default. You have to use `query_string=True`. Also you shouldn\u0027t cache verbs that can mutate state.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.caching.query-string.flask-cache-query-string)\\n\",\"text\":\"Flask-caching doesn\u0027t cache query strings by default. You have to use `query_string=True`. Also you shouldn\u0027t cache verbs that can mutate state.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.caching.query-string.flask-cache-query-string\",\"id\":\"python.flask.caching.query-string.flask-cache-query-string\",\"name\":\"python.flask.caching.query-string.flask-cache-query-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.caching.query-string.flask-cache-query-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Running flask app with host 0.0.0.0 could expose the server publicly.\"},\"help\":{\"markdown\":\"Running flask app with host 0.0.0.0 could expose the server publicly.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Running flask app with host 0.0.0.0 could expose the server publicly.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host\",\"id\":\"python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host\",\"name\":\"python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-668: Exposure of Resource to Wrong Sphere\",\"HIGH CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function\"},\"help\":{\"markdown\":\"top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly\",\"id\":\"python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly\",\"name\":\"python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-668: Exposure of Resource to Wrong Sphere\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting \u0027debug\u0027 using system environment variables.\"},\"help\":{\"markdown\":\"Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting \u0027debug\u0027 using system environment variables.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.debug-enabled.debug-enabled)\\n - [https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/](https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/)\\n\",\"text\":\"Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting \u0027debug\u0027 using system environment variables.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.audit.debug-enabled.debug-enabled\",\"id\":\"python.flask.security.audit.debug-enabled.debug-enabled\",\"name\":\"python.flask.security.audit.debug-enabled.debug-enabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-489: Active Debug Code\",\"HIGH CONFIDENCE\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.audit.debug-enabled.debug-enabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected Flask route directly returning a formatted string. This is subject to cross-site scripting if user input can reach the string. Consider using the template engine instead and rendering pages with \u0027render_template()\u0027.\"},\"help\":{\"markdown\":\"Detected Flask route directly returning a formatted string. This is subject to cross-site scripting if user input can reach the string. Consider using the template engine instead and rendering pages with \u0027render_template()\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.directly-returned-format-string.directly-returned-format-string)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected Flask route directly returning a formatted string. This is subject to cross-site scripting if user input can reach the string. Consider using the template engine instead and rendering pages with \u0027render_template()\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.audit.directly-returned-format-string.directly-returned-format-string\",\"id\":\"python.flask.security.audit.directly-returned-format-string.directly-returned-format-string\",\"name\":\"python.flask.security.audit.directly-returned-format-string.directly-returned-format-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.audit.directly-returned-format-string.directly-returned-format-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Function `flask.url_for` with `_external=True` argument will generate URLs using the `Host` header of the HTTP request, which may lead to security risks such as Host header injection\"},\"help\":{\"markdown\":\"Function `flask.url_for` with `_external=True` argument will generate URLs using the `Host` header of the HTTP request, which may lead to security risks such as Host header injection\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true)\\n - [https://flask.palletsprojects.com/en/latest/api/#flask.url_for](https://flask.palletsprojects.com/en/latest/api/#flask.url_for)\\n - [https://portswigger.net/kb/issues/00500300_host-header-injection](https://portswigger.net/kb/issues/00500300_host-header-injection)\\n\",\"text\":\"Function `flask.url_for` with `_external=True` argument will generate URLs using the `Host` header of the HTTP request, which may lead to security risks such as Host header injection\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true\",\"id\":\"python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true\",\"name\":\"python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-673: External Influence of Sphere Definition\",\"HIGH CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable\"},\"help\":{\"markdown\":\"Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG)\\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\\n\",\"text\":\"Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG\",\"id\":\"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG\",\"name\":\"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-489: Active Debug Code\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Hardcoded variable `ENV` detected. Set this by using FLASK_ENV environment variable\"},\"help\":{\"markdown\":\"Hardcoded variable `ENV` detected. Set this by using FLASK_ENV environment variable\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV)\\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\\n\",\"text\":\"Hardcoded variable `ENV` detected. Set this by using FLASK_ENV environment variable\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV\",\"id\":\"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV\",\"name\":\"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-489: Active Debug Code\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead\"},\"help\":{\"markdown\":\"Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY)\\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\\n\",\"text\":\"Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY\",\"id\":\"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY\",\"name\":\"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-489: Active Debug Code\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Hardcoded variable `TESTING` detected. Use environment variables or config files instead\"},\"help\":{\"markdown\":\"Hardcoded variable `TESTING` detected. Use environment variables or config files instead\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING)\\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\\n\",\"text\":\"Hardcoded variable `TESTING` detected. Use environment variables or config files instead\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING\",\"id\":\"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING\",\"name\":\"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-489: Active Debug Code\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.\"},\"help\":{\"markdown\":\"Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.render-template-string.render-template-string)\\n - [https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html](https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html)\\n\",\"text\":\"Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.audit.render-template-string.render-template-string\",\"id\":\"python.flask.security.audit.render-template-string.render-template-string\",\"name\":\"python.flask.security.audit.render-template-string.render-template-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-96: Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.audit.render-template-string.render-template-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found a Flask cookie with insecurely configured properties. By default the secure, httponly and samesite ar configured insecurely. cookies should be handled securely by setting `secure=True`, `httponly=True`, and `samesite=\u0027Lax\u0027` in response.set_cookie(...). If these parameters are not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Include the `secure=True`, `httponly=True`, `samesite=\u0027Lax\u0027` arguments or set these to be true in the Flask configuration.\"},\"help\":{\"markdown\":\"Found a Flask cookie with insecurely configured properties. By default the secure, httponly and samesite ar configured insecurely. cookies should be handled securely by setting `secure=True`, `httponly=True`, and `samesite=\u0027Lax\u0027` in response.set_cookie(...). If these parameters are not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Include the `secure=True`, `httponly=True`, `samesite=\u0027Lax\u0027` arguments or set these to be true in the Flask configuration.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.secure-set-cookie.secure-set-cookie)\\n - [https://flask.palletsprojects.com/en/3.0.x/api/#flask.Response.set_cookie](https://flask.palletsprojects.com/en/3.0.x/api/#flask.Response.set_cookie)\\n - [https://flask.palletsprojects.com/en/3.0.x/security/#set-cookie-options](https://flask.palletsprojects.com/en/3.0.x/security/#set-cookie-options)\\n\",\"text\":\"Found a Flask cookie with insecurely configured properties. By default the secure, httponly and samesite ar configured insecurely. cookies should be handled securely by setting `secure=True`, `httponly=True`, and `samesite=\u0027Lax\u0027` in response.set_cookie(...). If these parameters are not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Include the `secure=True`, `httponly=True`, `samesite=\u0027Lax\u0027` arguments or set these to be true in the Flask configuration.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.audit.secure-set-cookie.secure-set-cookie\",\"id\":\"python.flask.security.audit.secure-set-cookie.secure-set-cookie\",\"name\":\"python.flask.security.audit.secure-set-cookie.secure-set-cookie\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.audit.secure-set-cookie.secure-set-cookie\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Setting \u0027WTF_CSRF_ENABLED\u0027 to \u0027False\u0027 explicitly disables CSRF protection.\"},\"help\":{\"markdown\":\"Setting \u0027WTF_CSRF_ENABLED\u0027 to \u0027False\u0027 explicitly disables CSRF protection.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled)\\n - [https://flask-wtf.readthedocs.io/en/1.2.x/csrf/](https://flask-wtf.readthedocs.io/en/1.2.x/csrf/)\\n\",\"text\":\"Setting \u0027WTF_CSRF_ENABLED\u0027 to \u0027False\u0027 explicitly disables CSRF protection.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled\",\"id\":\"python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled\",\"name\":\"python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-352: Cross-Site Request Forgery (CSRF)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Be careful with `flask.make_response()`. If this response is rendered onto a webpage, this could create a cross-site scripting (XSS) vulnerability. `flask.make_response()` will not autoescape HTML. If you are rendering HTML, write your HTML in a template file and use `flask.render_template()` which will take care of escaping. If you are returning data from an API, consider using `flask.jsonify()`.\"},\"help\":{\"markdown\":\"Be careful with `flask.make_response()`. If this response is rendered onto a webpage, this could create a cross-site scripting (XSS) vulnerability. `flask.make_response()` will not autoescape HTML. If you are rendering HTML, write your HTML in a template file and use `flask.render_template()` which will take care of escaping. If you are returning data from an API, consider using `flask.jsonify()`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content)\\n - [https://github.com/python-security/pyt//blob/093a077bcf12d1f58ddeb2d73ddc096623985fb0/examples/vulnerable_code/XSS_assign_to_other_var.py#L11](https://github.com/python-security/pyt//blob/093a077bcf12d1f58ddeb2d73ddc096623985fb0/examples/vulnerable_code/XSS_assign_to_other_var.py#L11)\\n - [https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.make_response](https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.make_response)\\n - [https://flask.palletsprojects.com/en/1.1.x/api/#response-objects](https://flask.palletsprojects.com/en/1.1.x/api/#response-objects)\\n\",\"text\":\"Be careful with `flask.make_response()`. If this response is rendered onto a webpage, this could create a cross-site scripting (XSS) vulnerability. `flask.make_response()` will not autoescape HTML. If you are rendering HTML, write your HTML in a template file and use `flask.render_template()` which will take care of escaping. If you are returning data from an API, consider using `flask.jsonify()`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content\",\"id\":\"python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content\",\"name\":\"python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.\"},\"help\":{\"markdown\":\"Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.dangerous-template-string.dangerous-template-string)\\n - [https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html](https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html)\\n - [https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)\\n\",\"text\":\"Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.dangerous-template-string.dangerous-template-string\",\"id\":\"python.flask.security.dangerous-template-string.dangerous-template-string\",\"name\":\"python.flask.security.dangerous-template-string.dangerous-template-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-96: Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.dangerous-template-string.dangerous-template-string\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Method $METHOD in API controller $CLASS provides user arg $ARG to requests method $REQMETHOD\"},\"help\":{\"markdown\":\"Method $METHOD in API controller $CLASS provides user arg $ARG to requests method $REQMETHOD\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.flask-api-method-string-format.flask-api-method-string-format)\\n - [https://cwe.mitre.org/data/definitions/134.html](https://cwe.mitre.org/data/definitions/134.html)\\n\",\"text\":\"Method $METHOD in API controller $CLASS provides user arg $ARG to requests method $REQMETHOD\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.flask-api-method-string-format.flask-api-method-string-format\",\"id\":\"python.flask.security.flask-api-method-string-format.flask-api-method-string-format\",\"name\":\"python.flask.security.flask-api-method-string-format.flask-api-method-string-format\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-134: Use of Externally-Controlled Format String\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.flask-api-method-string-format.flask-api-method-string-format\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs.\"},\"help\":{\"markdown\":\"The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret)\\n - [https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY](https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY)\\n - [http://carnage.github.io/2015/08/cryptanalysis-of-hashids](http://carnage.github.io/2015/08/cryptanalysis-of-hashids)\\n\",\"text\":\"The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret\",\"id\":\"python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret\",\"name\":\"python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 \u2013 Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python\u0027s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string \u0027nan\u0027.\"},\"help\":{\"markdown\":\"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python\u0027s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string \u0027nan\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.nan-injection.nan-injection)\\n - [https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868](https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868)\\n - [https://blog.bitdiscovery.com/2021/12/python-nan-injection/](https://blog.bitdiscovery.com/2021/12/python-nan-injection/)\\n\",\"text\":\"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python\u0027s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string \u0027nan\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.injection.nan-injection.nan-injection\",\"id\":\"python.flask.security.injection.nan-injection.nan-injection\",\"name\":\"python.flask.security.injection.nan-injection.nan-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-704: Incorrect Type Conversion or Cast\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.injection.nan-injection.nan-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"User data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the \u0027subprocess\u0027 module instead and pass the arguments as a list.\"},\"help\":{\"markdown\":\"User data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the \u0027subprocess\u0027 module instead and pass the arguments as a list.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.os-system-injection.os-system-injection)\\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\\n\",\"text\":\"User data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the \u0027subprocess\u0027 module instead and pass the arguments as a list.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.injection.os-system-injection.os-system-injection\",\"id\":\"python.flask.security.injection.os-system-injection.os-system-injection\",\"name\":\"python.flask.security.injection.os-system-injection.os-system-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.injection.os-system-injection.os-system-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found request data in a call to \u0027open\u0027. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks.\"},\"help\":{\"markdown\":\"Found request data in a call to \u0027open\u0027. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.path-traversal-open.path-traversal-open)\\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\\n\",\"text\":\"Found request data in a call to \u0027open\u0027. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.injection.path-traversal-open.path-traversal-open\",\"id\":\"python.flask.security.injection.path-traversal-open.path-traversal-open\",\"name\":\"python.flask.security.injection.path-traversal-open.path-traversal-open\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.injection.path-traversal-open.path-traversal-open\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`flask.render_template`) which will safely render HTML instead.\"},\"help\":{\"markdown\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`flask.render_template`) which will safely render HTML instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.raw-html-concat.raw-html-format)\\n - [https://flask.palletsprojects.com/en/2.0.x/security/#cross-site-scripting-xss](https://flask.palletsprojects.com/en/2.0.x/security/#cross-site-scripting-xss)\\n\",\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`flask.render_template`) which will safely render HTML instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.injection.raw-html-concat.raw-html-format\",\"id\":\"python.flask.security.injection.raw-html-concat.raw-html-format\",\"name\":\"python.flask.security.injection.raw-html-concat.raw-html-format\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.injection.raw-html-concat.raw-html-format\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\"},\"help\":{\"markdown\":\"Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.ssrf-requests.ssrf-requests)\\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\\n\",\"text\":\"Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.injection.ssrf-requests.ssrf-requests\",\"id\":\"python.flask.security.injection.ssrf-requests.ssrf-requests\",\"name\":\"python.flask.security.injection.ssrf-requests.ssrf-requests\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.injection.ssrf-requests.ssrf-requests\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\"},\"help\":{\"markdown\":\"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection)\\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\\n\",\"text\":\"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection\",\"id\":\"python.flask.security.injection.subprocess-injection.subprocess-injection\",\"name\":\"python.flask.security.injection.subprocess-injection.subprocess-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.injection.subprocess-injection.subprocess-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.\"},\"help\":{\"markdown\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string)\\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\\n\",\"text\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string\",\"id\":\"python.flask.security.injection.tainted-sql-string.tainted-sql-string\",\"name\":\"python.flask.security.injection.tainted-sql-string.tainted-sql-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-704: Incorrect Type Conversion or Cast\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.injection.tainted-sql-string.tainted-sql-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\"},\"help\":{\"markdown\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.tainted-url-host.tainted-url-host)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.injection.tainted-url-host.tainted-url-host\",\"id\":\"python.flask.security.injection.tainted-url-host.tainted-url-host\",\"name\":\"python.flask.security.injection.tainted-url-host.tainted-url-host\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.injection.tainted-url-host.tainted-url-host\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user data flowing into eval. This is code injection and should be avoided.\"},\"help\":{\"markdown\":\"Detected user data flowing into eval. This is code injection and should be avoided.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.user-eval.eval-injection)\\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\\n\",\"text\":\"Detected user data flowing into eval. This is code injection and should be avoided.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.injection.user-eval.eval-injection\",\"id\":\"python.flask.security.injection.user-eval.eval-injection\",\"name\":\"python.flask.security.injection.user-eval.eval-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.injection.user-eval.eval-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user data flowing into exec. This is code injection and should be avoided.\"},\"help\":{\"markdown\":\"Detected user data flowing into exec. This is code injection and should be avoided.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection)\\n - [https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html)\\n\",\"text\":\"Detected user data flowing into exec. This is code injection and should be avoided.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection\",\"id\":\"python.flask.security.injection.user-exec.exec-injection\",\"name\":\"python.flask.security.injection.user-exec.exec-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.injection.user-exec.exec-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected the use of an insecure deserialization library in a Flask route. These libraries are prone to code execution vulnerabilities. Ensure user data does not enter this function. To fix this, try to avoid serializing whole objects. Consider instead using a serializer such as JSON.\"},\"help\":{\"markdown\":\"Detected the use of an insecure deserialization library in a Flask route. These libraries are prone to code execution vulnerabilities. Ensure user data does not enter this function. To fix this, try to avoid serializing whole objects. Consider instead using a serializer such as JSON.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.insecure-deserialization.insecure-deserialization)\\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\\n\",\"text\":\"Detected the use of an insecure deserialization library in a Flask route. These libraries are prone to code execution vulnerabilities. Ensure user data does not enter this function. To fix this, try to avoid serializing whole objects. Consider instead using a serializer such as JSON.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.insecure-deserialization.insecure-deserialization\",\"id\":\"python.flask.security.insecure-deserialization.insecure-deserialization\",\"name\":\"python.flask.security.insecure-deserialization.insecure-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.insecure-deserialization.insecure-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Data from request is passed to redirect(). This is an open redirect and could be exploited. Consider using \u0027url_for()\u0027 to generate links to known locations. If you must use a URL to unknown pages, consider using \u0027urlparse()\u0027 or similar and checking if the \u0027netloc\u0027 property is the same as your site\u0027s host name. See the references for more information.\"},\"help\":{\"markdown\":\"Data from request is passed to redirect(). This is an open redirect and could be exploited. Consider using \u0027url_for()\u0027 to generate links to known locations. If you must use a URL to unknown pages, consider using \u0027urlparse()\u0027 or similar and checking if the \u0027netloc\u0027 property is the same as your site\u0027s host name. See the references for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.open-redirect.open-redirect)\\n - [https://flask-login.readthedocs.io/en/latest/#login-example](https://flask-login.readthedocs.io/en/latest/#login-example)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html#dangerous-url-redirect-example-1](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html#dangerous-url-redirect-example-1)\\n - [https://docs.python.org/3/library/urllib.parse.html#url-parsing](https://docs.python.org/3/library/urllib.parse.html#url-parsing)\\n\",\"text\":\"Data from request is passed to redirect(). This is an open redirect and could be exploited. Consider using \u0027url_for()\u0027 to generate links to known locations. If you must use a URL to unknown pages, consider using \u0027urlparse()\u0027 or similar and checking if the \u0027netloc\u0027 property is the same as your site\u0027s host name. See the references for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.open-redirect.open-redirect\",\"id\":\"python.flask.security.open-redirect.open-redirect\",\"name\":\"python.flask.security.open-redirect.open-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.open-redirect.open-redirect\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a user-controlled `filename` that could flow to `flask.send_file()` function. This could lead to an attacker reading arbitrary file from the system, leaking private information. Make sure to properly sanitize filename or use `flask.send_from_directory`\"},\"help\":{\"markdown\":\"Detected a user-controlled `filename` that could flow to `flask.send_file()` function. This could lead to an attacker reading arbitrary file from the system, leaking private information. Make sure to properly sanitize filename or use `flask.send_from_directory`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Detected a user-controlled `filename` that could flow to `flask.send_file()` function. This could lead to an attacker reading arbitrary file from the system, leaking private information. Make sure to properly sanitize filename or use `flask.send_from_directory`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization\",\"id\":\"python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization\",\"name\":\"python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-73: External Control of File Name or Path\",\"LOW CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Flask does not automatically escape Jinja templates unless they have .html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup for more information.\"},\"help\":{\"markdown\":\"Flask does not automatically escape Jinja templates unless they have .html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.unescaped-template-extension.unescaped-template-extension)\\n - [https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup](https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup)\\n - [https://semgrep.dev/blog/2020/bento-check-unescaped-template-extensions-in-flask/](https://semgrep.dev/blog/2020/bento-check-unescaped-template-extensions-in-flask/)\\n - [https://bento.dev/checks/flask/unescaped-file-extension/](https://bento.dev/checks/flask/unescaped-file-extension/)\\n\",\"text\":\"Flask does not automatically escape Jinja templates unless they have .html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.unescaped-template-extension.unescaped-template-extension\",\"id\":\"python.flask.security.unescaped-template-extension.unescaped-template-extension\",\"name\":\"python.flask.security.unescaped-template-extension.unescaped-template-extension\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.unescaped-template-extension.unescaped-template-extension\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Flask response reflects unsanitized user input. This could lead to a cross-site scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which an attacker causes arbitrary code to be executed in the user\u0027s browser. To prevent, please sanitize the user input, e.g. by rendering the response in a Jinja2 template (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/).\"},\"help\":{\"markdown\":\"Flask response reflects unsanitized user input. This could lead to a cross-site scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which an attacker causes arbitrary code to be executed in the user\u0027s browser. To prevent, please sanitize the user input, e.g. by rendering the response in a Jinja2 template (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.unsanitized-input.response-contains-unsanitized-input)\\n - [https://flask.palletsprojects.com/en/1.0.x/security/](https://flask.palletsprojects.com/en/1.0.x/security/)\\n - [https://owasp.org/www-community/attacks/xss/](https://owasp.org/www-community/attacks/xss/)\\n\",\"text\":\"Flask response reflects unsanitized user input. This could lead to a cross-site scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which an attacker causes arbitrary code to be executed in the user\u0027s browser. To prevent, please sanitize the user input, e.g. by rendering the response in a Jinja2 template (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.unsanitized-input.response-contains-unsanitized-input\",\"id\":\"python.flask.security.unsanitized-input.response-contains-unsanitized-input\",\"name\":\"python.flask.security.unsanitized-input.response-contains-unsanitized-input\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.unsanitized-input.response-contains-unsanitized-input\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method \u0027render_template()\u0027 and templates with a \u0027.html\u0027 extension in order to prevent XSS.\"},\"help\":{\"markdown\":\"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method \u0027render_template()\u0027 and templates with a \u0027.html\u0027 extension in order to prevent XSS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2)\\n - [https://jinja.palletsprojects.com/en/2.11.x/api/#basics](https://jinja.palletsprojects.com/en/2.11.x/api/#basics)\\n\",\"text\":\"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method \u0027render_template()\u0027 and templates with a \u0027.html\u0027 extension in order to prevent XSS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2\",\"id\":\"python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2\",\"name\":\"python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected explicitly unescaped content using \u0027Markup()\u0027. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use \u0027Markup()\u0027.\"},\"help\":{\"markdown\":\"Detected explicitly unescaped content using \u0027Markup()\u0027. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use \u0027Markup()\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup)\\n - [https://tedboy.github.io/flask/generated/generated/flask.Markup.html](https://tedboy.github.io/flask/generated/generated/flask.Markup.html)\\n\",\"text\":\"Detected explicitly unescaped content using \u0027Markup()\u0027. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use \u0027Markup()\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup\",\"id\":\"python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup\",\"name\":\"python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a segment of a Flask template where autoescaping is explicitly disabled with \u0027{% autoescape off %}\u0027. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability, or turn autoescape on.\"},\"help\":{\"markdown\":\"Detected a segment of a Flask template where autoescaping is explicitly disabled with \u0027{% autoescape off %}\u0027. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability, or turn autoescape on.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off)\\n - [https://flask.palletsprojects.com/en/1.1.x/templating/#controlling-autoescaping](https://flask.palletsprojects.com/en/1.1.x/templating/#controlling-autoescaping)\\n - [https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup](https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup)\\n\",\"text\":\"Detected a segment of a Flask template where autoescaping is explicitly disabled with \u0027{% autoescape off %}\u0027. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability, or turn autoescape on.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off\",\"id\":\"python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off\",\"name\":\"python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The object is passed strictly to jwt.encode(...) Make sure that sensitive information is not exposed through JWT token payload.\"},\"help\":{\"markdown\":\"The object is passed strictly to jwt.encode(...) Make sure that sensitive information is not exposed through JWT token payload.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"The object is passed strictly to jwt.encode(...) Make sure that sensitive information is not exposed through JWT token payload.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data\",\"id\":\"python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data\",\"name\":\"python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"LOW CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\"},\"help\":{\"markdown\":\"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials)\\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\\n\",\"text\":\"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials\",\"id\":\"python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials\",\"name\":\"python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"LOW CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\"},\"help\":{\"markdown\":\"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret)\\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\\n\",\"text\":\"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret\",\"id\":\"python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret\",\"name\":\"python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"HIGH CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\"},\"help\":{\"markdown\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-none-alg.jwt-python-none-alg)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.jwt.security.jwt-none-alg.jwt-python-none-alg\",\"id\":\"python.jwt.security.jwt-none-alg.jwt-python-none-alg\",\"name\":\"python.jwt.security.jwt-none-alg.jwt-python-none-alg\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.jwt.security.jwt-none-alg.jwt-python-none-alg\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected JWT token decoded with \u0027verify=False\u0027. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.\"},\"help\":{\"markdown\":\"Detected JWT token decoded with \u0027verify=False\u0027. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode)\\n - [https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96](https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96)\\n\",\"text\":\"Detected JWT token decoded with \u0027verify=False\u0027. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode\",\"id\":\"python.jwt.security.unverified-jwt-decode.unverified-jwt-decode\",\"name\":\"python.jwt.security.unverified-jwt-decode.unverified-jwt-decode\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-287: Improper Authentication\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"the `errors` argument to Popen is only available on Python 3.6+\"},\"help\":{\"markdown\":\"the `errors` argument to Popen is only available on Python 3.6+\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen1)\\n\",\"text\":\"the `errors` argument to Popen is only available on Python 3.6+\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen1\",\"id\":\"python.lang.compatibility.python36.python36-compatibility-Popen1\",\"name\":\"python.lang.compatibility.python36.python36-compatibility-Popen1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python36.python36-compatibility-Popen1\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"the `encoding` argument to Popen is only available on Python 3.6+\"},\"help\":{\"markdown\":\"the `encoding` argument to Popen is only available on Python 3.6+\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2)\\n\",\"text\":\"the `encoding` argument to Popen is only available on Python 3.6+\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2\",\"id\":\"python.lang.compatibility.python36.python36-compatibility-Popen2\",\"name\":\"python.lang.compatibility.python36.python36-compatibility-Popen2\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python36.python36-compatibility-Popen2\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"this function is only available on Python 3.6+\"},\"help\":{\"markdown\":\"this function is only available on Python 3.6+\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-ssl)\\n\",\"text\":\"this function is only available on Python 3.6+\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-ssl\",\"id\":\"python.lang.compatibility.python36.python36-compatibility-ssl\",\"name\":\"python.lang.compatibility.python36.python36-compatibility-ssl\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python36.python36-compatibility-ssl\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found usage of the \u0027blocksize\u0027 argument in a HTTPConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.\"},\"help\":{\"markdown\":\"Found usage of the \u0027blocksize\u0027 argument in a HTTPConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpconn)\\n\",\"text\":\"Found usage of the \u0027blocksize\u0027 argument in a HTTPConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpconn\",\"id\":\"python.lang.compatibility.python37.python37-compatibility-httpconn\",\"name\":\"python.lang.compatibility.python37.python37-compatibility-httpconn\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-httpconn\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found usage of the \u0027blocksize\u0027 argument in a HTTPSConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.\"},\"help\":{\"markdown\":\"Found usage of the \u0027blocksize\u0027 argument in a HTTPSConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpsconn)\\n\",\"text\":\"Found usage of the \u0027blocksize\u0027 argument in a HTTPSConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpsconn\",\"id\":\"python.lang.compatibility.python37.python37-compatibility-httpsconn\",\"name\":\"python.lang.compatibility.python37.python37-compatibility-httpsconn\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-httpsconn\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"source_hash\u0027 is only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Instead, use another hash function.\"},\"help\":{\"markdown\":\"source_hash\u0027 is only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Instead, use another hash function.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib)\\n\",\"text\":\"source_hash\u0027 is only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Instead, use another hash function.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib\",\"id\":\"python.lang.compatibility.python37.python37-compatibility-importlib\",\"name\":\"python.lang.compatibility.python37.python37-compatibility-importlib\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-importlib\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found \u0027importlib.resources\u0027, which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions.\"},\"help\":{\"markdown\":\"Found \u0027importlib.resources\u0027, which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2)\\n\",\"text\":\"Found \u0027importlib.resources\u0027, which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2\",\"id\":\"python.lang.compatibility.python37.python37-compatibility-importlib2\",\"name\":\"python.lang.compatibility.python37.python37-compatibility-importlib2\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-importlib2\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found usage of \u0027importlib.abc.ResourceReader\u0027. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\"},\"help\":{\"markdown\":\"Found usage of \u0027importlib.abc.ResourceReader\u0027. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib3)\\n\",\"text\":\"Found usage of \u0027importlib.abc.ResourceReader\u0027. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib3\",\"id\":\"python.lang.compatibility.python37.python37-compatibility-importlib3\",\"name\":\"python.lang.compatibility.python37.python37-compatibility-importlib3\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-importlib3\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"IPv4Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in \u0027subnets\u0027.\"},\"help\":{\"markdown\":\"IPv4Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in \u0027subnets\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv4network1)\\n\",\"text\":\"IPv4Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in \u0027subnets\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv4network1\",\"id\":\"python.lang.compatibility.python37.python37-compatibility-ipv4network1\",\"name\":\"python.lang.compatibility.python37.python37-compatibility-ipv4network1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-ipv4network1\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"IPv4Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in \u0027supernet\u0027.\"},\"help\":{\"markdown\":\"IPv4Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in \u0027supernet\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv4network2)\\n\",\"text\":\"IPv4Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in \u0027supernet\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv4network2\",\"id\":\"python.lang.compatibility.python37.python37-compatibility-ipv4network2\",\"name\":\"python.lang.compatibility.python37.python37-compatibility-ipv4network2\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-ipv4network2\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"IPv6Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in \u0027subnets\u0027.\"},\"help\":{\"markdown\":\"IPv6Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in \u0027subnets\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network1)\\n\",\"text\":\"IPv6Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in \u0027subnets\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network1\",\"id\":\"python.lang.compatibility.python37.python37-compatibility-ipv6network1\",\"name\":\"python.lang.compatibility.python37.python37-compatibility-ipv6network1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-ipv6network1\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"IPv6Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in \u0027supernet\u0027.\"},\"help\":{\"markdown\":\"IPv6Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in \u0027supernet\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network2)\\n\",\"text\":\"IPv6Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in \u0027supernet\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network2\",\"id\":\"python.lang.compatibility.python37.python37-compatibility-ipv6network2\",\"name\":\"python.lang.compatibility.python37.python37-compatibility-ipv6network2\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-ipv6network2\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found usage of the \u0027monetary\u0027 argument in a function call of \u0027locale.format_string\u0027. This is only available on Python 3.7+ and is therefore not backwards compatible. Instead, remove the \u0027monetary\u0027 argument.\"},\"help\":{\"markdown\":\"Found usage of the \u0027monetary\u0027 argument in a function call of \u0027locale.format_string\u0027. This is only available on Python 3.7+ and is therefore not backwards compatible. Instead, remove the \u0027monetary\u0027 argument.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-locale1)\\n\",\"text\":\"Found usage of the \u0027monetary\u0027 argument in a function call of \u0027locale.format_string\u0027. This is only available on Python 3.7+ and is therefore not backwards compatible. Instead, remove the \u0027monetary\u0027 argument.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-locale1\",\"id\":\"python.lang.compatibility.python37.python37-compatibility-locale1\",\"name\":\"python.lang.compatibility.python37.python37-compatibility-locale1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-locale1\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"math.remainder is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use math.fmod() or calculate $X - n* $Y.\"},\"help\":{\"markdown\":\"math.remainder is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use math.fmod() or calculate $X - n* $Y.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-math1)\\n\",\"text\":\"math.remainder is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use math.fmod() or calculate $X - n* $Y.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-math1\",\"id\":\"python.lang.compatibility.python37.python37-compatibility-math1\",\"name\":\"python.lang.compatibility.python37.python37-compatibility-math1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-math1\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"multiprocessing.Process.close() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use join().\"},\"help\":{\"markdown\":\"multiprocessing.Process.close() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use join().\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess1)\\n\",\"text\":\"multiprocessing.Process.close() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use join().\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess1\",\"id\":\"python.lang.compatibility.python37.python37-compatibility-multiprocess1\",\"name\":\"python.lang.compatibility.python37.python37-compatibility-multiprocess1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-multiprocess1\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate().\"},\"help\":{\"markdown\":\"multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate().\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2)\\n\",\"text\":\"multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate().\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2\",\"id\":\"python.lang.compatibility.python37.python37-compatibility-multiprocess2\",\"name\":\"python.lang.compatibility.python37.python37-compatibility-multiprocess2\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-multiprocess2\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread().\"},\"help\":{\"markdown\":\"os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread().\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1)\\n\",\"text\":\"os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread().\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1\",\"id\":\"python.lang.compatibility.python37.python37-compatibility-os1\",\"name\":\"python.lang.compatibility.python37.python37-compatibility-os1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-os1\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"os.pwritev() is only available on Python 3.3+ and is therefore not backwards compatible. Instead, use a combination of pwrite() and writev().\"},\"help\":{\"markdown\":\"os.pwritev() is only available on Python 3.3+ and is therefore not backwards compatible. Instead, use a combination of pwrite() and writev().\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os2-ok2)\\n\",\"text\":\"os.pwritev() is only available on Python 3.3+ and is therefore not backwards compatible. Instead, use a combination of pwrite() and writev().\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os2-ok2\",\"id\":\"python.lang.compatibility.python37.python37-compatibility-os2-ok2\",\"name\":\"python.lang.compatibility.python37.python37-compatibility-os2-ok2\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-os2-ok2\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"pdb.set_trace() with the header argument is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use set_trace() without the header argument.\"},\"help\":{\"markdown\":\"pdb.set_trace() with the header argument is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use set_trace() without the header argument.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-pdb)\\n\",\"text\":\"pdb.set_trace() with the header argument is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use set_trace() without the header argument.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-pdb\",\"id\":\"python.lang.compatibility.python37.python37-compatibility-pdb\",\"name\":\"python.lang.compatibility.python37.python37-compatibility-pdb\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-pdb\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found usage of \u0027importlib.abc.ResourceReader\u0027. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\"},\"help\":{\"markdown\":\"Found usage of \u0027importlib.abc.ResourceReader\u0027. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper)\\n\",\"text\":\"Found usage of \u0027importlib.abc.ResourceReader\u0027. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper\",\"id\":\"python.lang.compatibility.python37.python37-compatibility-textiowrapper\",\"name\":\"python.lang.compatibility.python37.python37-compatibility-textiowrapper\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-textiowrapper\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection\"},\"help\":{\"markdown\":\"The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv)\\n - [https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection](https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection)\\n\",\"text\":\"The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv\",\"id\":\"python.lang.security.audit.conn_recv.multiprocessing-recv\",\"name\":\"python.lang.security.audit.conn_recv.multiprocessing-recv\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.conn_recv.multiprocessing-recv\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Annotations passed to `typing.get_type_hints` are evaluated in `globals` and `locals` namespaces. Make sure that no arbitrary value can be written as the annotation and passed to `typing.get_type_hints` function.\"},\"help\":{\"markdown\":\"Annotations passed to `typing.get_type_hints` are evaluated in `globals` and `locals` namespaces. Make sure that no arbitrary value can be written as the annotation and passed to `typing.get_type_hints` function.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage)\\n - [https://docs.python.org/3/library/typing.html#typing.get_type_hints](https://docs.python.org/3/library/typing.html#typing.get_type_hints)\\n\",\"text\":\"Annotations passed to `typing.get_type_hints` are evaluated in `globals` and `locals` namespaces. Make sure that no arbitrary value can be written as the annotation and passed to `typing.get_type_hints` function.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage\",\"id\":\"python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage\",\"name\":\"python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a dynamic value being used with urllib. urllib supports \u0027file://\u0027 schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the \u0027requests\u0027 library instead.\"},\"help\":{\"markdown\":\"Detected a dynamic value being used with urllib. urllib supports \u0027file://\u0027 schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the \u0027requests\u0027 library instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected)\\n - [https://cwe.mitre.org/data/definitions/939.html](https://cwe.mitre.org/data/definitions/939.html)\\n\",\"text\":\"Detected a dynamic value being used with urllib. urllib supports \u0027file://\u0027 schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the \u0027requests\u0027 library instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected\",\"id\":\"python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected\",\"name\":\"python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-939: Improper Authorization in Handler for Custom URL Scheme\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\"},\"help\":{\"markdown\":\"Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.eval-detected.eval-detected)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.eval-detected.eval-detected\",\"id\":\"python.lang.security.audit.eval-detected.eval-detected\",\"name\":\"python.lang.security.audit.eval-detected.eval-detected\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.eval-detected.eval-detected\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\"},\"help\":{\"markdown\":\"Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected\",\"id\":\"python.lang.security.audit.exec-detected.exec-detected\",\"name\":\"python.lang.security.audit.exec-detected.exec-detected\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.exec-detected.exec-detected\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected possible formatted SQL query. Use parameterized queries instead.\"},\"help\":{\"markdown\":\"Detected possible formatted SQL query. Use parameterized queries instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query)\\n - [https://stackoverflow.com/questions/775296/mysql-parameterized-queries](https://stackoverflow.com/questions/775296/mysql-parameterized-queries)\\n\",\"text\":\"Detected possible formatted SQL query. Use parameterized queries instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query\",\"id\":\"python.lang.security.audit.formatted-sql-query.formatted-sql-query\",\"name\":\"python.lang.security.audit.formatted-sql-query.formatted-sql-query\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.formatted-sql-query.formatted-sql-query\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Hardcoded password is used as a default argument to \u0027$FUNC\u0027. This could be dangerous if a real password is not supplied.\"},\"help\":{\"markdown\":\"Hardcoded password is used as a default argument to \u0027$FUNC\u0027. This could be dangerous if a real password is not supplied.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Hardcoded password is used as a default argument to \u0027$FUNC\u0027. This could be dangerous if a real password is not supplied.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument\",\"id\":\"python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument\",\"name\":\"python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information.\"},\"help\":{\"markdown\":\"The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.httpsconnection-detected.httpsconnection-detected)\\n - [https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection](https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection)\\n\",\"text\":\"The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.httpsconnection-detected.httpsconnection-detected\",\"id\":\"python.lang.security.audit.httpsconnection-detected.httpsconnection-detected\",\"name\":\"python.lang.security.audit.httpsconnection-detected.httpsconnection-detected\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-295: Improper Certificate Validation\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.httpsconnection-detected.httpsconnection-detected\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else.\"},\"help\":{\"markdown\":\"These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions\",\"id\":\"python.lang.security.audit.insecure-file-permissions.insecure-file-permissions\",\"name\":\"python.lang.security.audit.insecure-file-permissions.insecure-file-permissions\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-276: Incorrect Default Permissions\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.insecure-file-permissions.insecure-file-permissions\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"The \u0027FTP\u0027 class sends information unencrypted. Consider using the \u0027FTP_TLS\u0027 class instead.\"},\"help\":{\"markdown\":\"The \u0027FTP\u0027 class sends information unencrypted. Consider using the \u0027FTP_TLS\u0027 class instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls)\\n - [https://docs.python.org/3/library/ftplib.html#ftplib.FTP_TLS](https://docs.python.org/3/library/ftplib.html#ftplib.FTP_TLS)\\n\",\"text\":\"The \u0027FTP\u0027 class sends information unencrypted. Consider using the \u0027FTP_TLS\u0027 class instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls\",\"id\":\"python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls\",\"name\":\"python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Detected a request using \u0027http://\u0027. This request will be unencrypted. Use \u0027https://\u0027 instead.\"},\"help\":{\"markdown\":\"Detected a request using \u0027http://\u0027. This request will be unencrypted. Use \u0027https://\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected a request using \u0027http://\u0027. This request will be unencrypted. Use \u0027https://\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context\",\"id\":\"python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context\",\"name\":\"python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Detected a request using \u0027http://\u0027. This request will be unencrypted. Use \u0027https://\u0027 instead.\"},\"help\":{\"markdown\":\"Detected a request using \u0027http://\u0027. This request will be unencrypted. Use \u0027https://\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected a request using \u0027http://\u0027. This request will be unencrypted. Use \u0027https://\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http\",\"id\":\"python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http\",\"name\":\"python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Detected a request using \u0027http://\u0027. This request will be unencrypted, and attackers could listen into traffic on the network and be able to obtain sensitive information. Use \u0027https://\u0027 instead.\"},\"help\":{\"markdown\":\"Detected a request using \u0027http://\u0027. This request will be unencrypted, and attackers could listen into traffic on the network and be able to obtain sensitive information. Use \u0027https://\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected a request using \u0027http://\u0027. This request will be unencrypted, and attackers could listen into traffic on the network and be able to obtain sensitive information. Use \u0027https://\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http\",\"id\":\"python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http\",\"name\":\"python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The \u0027ssl\u0027 module disables insecure cipher suites by default. Therefore, use of \u0027set_ciphers()\u0027 should only be used when you have very specialized requirements. Otherwise, you risk lowering the security of the SSL channel.\"},\"help\":{\"markdown\":\"The \u0027ssl\u0027 module disables insecure cipher suites by default. Therefore, use of \u0027set_ciphers()\u0027 should only be used when you have very specialized requirements. Otherwise, you risk lowering the security of the SSL channel.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers)\\n - [https://docs.python.org/3/library/ssl.html#cipher-selection](https://docs.python.org/3/library/ssl.html#cipher-selection)\\n - [https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers](https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers)\\n\",\"text\":\"The \u0027ssl\u0027 module disables insecure cipher suites by default. Therefore, use of \u0027set_ciphers()\u0027 should only be used when you have very specialized requirements. Otherwise, you risk lowering the security of the SSL channel.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers\",\"id\":\"python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers\",\"name\":\"python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an unsecured transmission channel. \u0027OpenerDirector.open(...)\u0027 is being used with \u0027ftp://\u0027. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP.\"},\"help\":{\"markdown\":\"Detected an unsecured transmission channel. \u0027OpenerDirector.open(...)\u0027 is being used with \u0027ftp://\u0027. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp)\\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open)\\n\",\"text\":\"Detected an unsecured transmission channel. \u0027OpenerDirector.open(...)\u0027 is being used with \u0027ftp://\u0027. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp\",\"id\":\"python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp\",\"name\":\"python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an unsecured transmission channel. \u0027OpenerDirector.open(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\"},\"help\":{\"markdown\":\"Detected an unsecured transmission channel. \u0027OpenerDirector.open(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open)\\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open)\\n\",\"text\":\"Detected an unsecured transmission channel. \u0027OpenerDirector.open(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open\",\"id\":\"python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open\",\"name\":\"python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a \u0027urllib.request.Request()\u0027 object using an insecure transport protocol, \u0027ftp://\u0027. This connection will not be encrypted. Consider using SFTP instead. urllib does not support SFTP natively, so consider using a library which supports SFTP.\"},\"help\":{\"markdown\":\"Detected a \u0027urllib.request.Request()\u0027 object using an insecure transport protocol, \u0027ftp://\u0027. This connection will not be encrypted. Consider using SFTP instead. urllib does not support SFTP natively, so consider using a library which supports SFTP.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp)\\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.Request](https://docs.python.org/3/library/urllib.request.html#urllib.request.Request)\\n\",\"text\":\"Detected a \u0027urllib.request.Request()\u0027 object using an insecure transport protocol, \u0027ftp://\u0027. This connection will not be encrypted. Consider using SFTP instead. urllib does not support SFTP natively, so consider using a library which supports SFTP.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp\",\"id\":\"python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp\",\"name\":\"python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a \u0027urllib.request.Request()\u0027 object using an insecure transport protocol, \u0027http://\u0027. This connection will not be encrypted. Use \u0027https://\u0027 instead.\"},\"help\":{\"markdown\":\"Detected a \u0027urllib.request.Request()\u0027 object using an insecure transport protocol, \u0027http://\u0027. This connection will not be encrypted. Use \u0027https://\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object)\\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.Request](https://docs.python.org/3/library/urllib.request.html#urllib.request.Request)\\n\",\"text\":\"Detected a \u0027urllib.request.Request()\u0027 object using an insecure transport protocol, \u0027http://\u0027. This connection will not be encrypted. Use \u0027https://\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object\",\"id\":\"python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object\",\"name\":\"python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected \u0027urllib.urlopen()\u0027 using \u0027ftp://\u0027. This request will not be encrypted. Consider using SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP.\"},\"help\":{\"markdown\":\"Detected \u0027urllib.urlopen()\u0027 using \u0027ftp://\u0027. This request will not be encrypted. Consider using SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp)\\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen](https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen)\\n\",\"text\":\"Detected \u0027urllib.urlopen()\u0027 using \u0027ftp://\u0027. This request will not be encrypted. Consider using SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp\",\"id\":\"python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp\",\"name\":\"python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected \u0027urllib.urlopen()\u0027 using \u0027http://\u0027. This request will not be encrypted. Use \u0027https://\u0027 instead.\"},\"help\":{\"markdown\":\"Detected \u0027urllib.urlopen()\u0027 using \u0027http://\u0027. This request will not be encrypted. Use \u0027https://\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen)\\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen](https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen)\\n\",\"text\":\"Detected \u0027urllib.urlopen()\u0027 using \u0027http://\u0027. This request will not be encrypted. Use \u0027https://\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen\",\"id\":\"python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen\",\"name\":\"python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an insecure transmission channel. \u0027URLopener.open(...)\u0027 is being used with \u0027ftp://\u0027. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.\"},\"help\":{\"markdown\":\"Detected an insecure transmission channel. \u0027URLopener.open(...)\u0027 is being used with \u0027ftp://\u0027. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp)\\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open)\\n\",\"text\":\"Detected an insecure transmission channel. \u0027URLopener.open(...)\u0027 is being used with \u0027ftp://\u0027. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp\",\"id\":\"python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp\",\"name\":\"python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an unsecured transmission channel. \u0027URLopener.open(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\"},\"help\":{\"markdown\":\"Detected an unsecured transmission channel. \u0027URLopener.open(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open)\\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open)\\n\",\"text\":\"Detected an unsecured transmission channel. \u0027URLopener.open(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open\",\"id\":\"python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open\",\"name\":\"python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an insecure transmission channel. \u0027URLopener.retrieve(...)\u0027 is being used with \u0027ftp://\u0027. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.\"},\"help\":{\"markdown\":\"Detected an insecure transmission channel. \u0027URLopener.retrieve(...)\u0027 is being used with \u0027ftp://\u0027. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp)\\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve](https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve)\\n\",\"text\":\"Detected an insecure transmission channel. \u0027URLopener.retrieve(...)\u0027 is being used with \u0027ftp://\u0027. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp\",\"id\":\"python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp\",\"name\":\"python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an unsecured transmission channel. \u0027URLopener.retrieve(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\"},\"help\":{\"markdown\":\"Detected an unsecured transmission channel. \u0027URLopener.retrieve(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve)\\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve](https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve)\\n\",\"text\":\"Detected an unsecured transmission channel. \u0027URLopener.retrieve(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve\",\"id\":\"python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve\",\"name\":\"python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected \u0027urllib.urlretrieve()\u0027 using \u0027ftp://\u0027. This request will not be encrypted. Use SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP.\"},\"help\":{\"markdown\":\"Detected \u0027urllib.urlretrieve()\u0027 using \u0027ftp://\u0027. This request will not be encrypted. Use SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp)\\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve](https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve)\\n\",\"text\":\"Detected \u0027urllib.urlretrieve()\u0027 using \u0027ftp://\u0027. This request will not be encrypted. Use SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp\",\"id\":\"python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp\",\"name\":\"python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected \u0027urllib.urlretrieve()\u0027 using \u0027http://\u0027. This request will not be encrypted. Use \u0027https://\u0027 instead.\"},\"help\":{\"markdown\":\"Detected \u0027urllib.urlretrieve()\u0027 using \u0027http://\u0027. This request will not be encrypted. Use \u0027https://\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve)\\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve](https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve)\\n\",\"text\":\"Detected \u0027urllib.urlretrieve()\u0027 using \u0027http://\u0027. This request will not be encrypted. Use \u0027https://\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve\",\"id\":\"python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve\",\"name\":\"python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations.\"},\"help\":{\"markdown\":\"Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval)\\n - [https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen](https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen)\\n\",\"text\":\"Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval\",\"id\":\"python.lang.security.audit.logging.listeneval.listen-eval\",\"name\":\"python.lang.security.audit.logging.listeneval.listen-eval\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.logging.listeneval.listen-eval\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information.\"},\"help\":{\"markdown\":\"Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure)\\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures)\\n\",\"text\":\"Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure\",\"id\":\"python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure\",\"name\":\"python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-532: Insertion of Sensitive Information into Log File\",\"MEDIUM CONFIDENCE\",\"OWASP-A09:2021 - Security Logging and Monitoring Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using \u0027| u\u0027 for URL escaping or \u0027| h\u0027 for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.\"},\"help\":{\"markdown\":\"Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using \u0027| u\u0027 for URL escaping or \u0027| h\u0027 for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected)\\n - [https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping](https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping)\\n - [https://jinja.palletsprojects.com/en/2.11.x/intro/#](https://jinja.palletsprojects.com/en/2.11.x/intro/#)\\n\",\"text\":\"Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using \u0027| u\u0027 for URL escaping or \u0027| h\u0027 for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected\",\"id\":\"python.lang.security.audit.mako-templates-detected.mako-templates-detected\",\"name\":\"python.lang.security.audit.mako-templates-detected.mako-templates-detected\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.mako-templates-detected.mako-templates-detected\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security\"},\"help\":{\"markdown\":\"The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.marshal.marshal-usage)\\n - [https://docs.python.org/3/library/marshal.html?highlight=security](https://docs.python.org/3/library/marshal.html?highlight=security)\\n\",\"text\":\"The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.marshal.marshal-usage\",\"id\":\"python.lang.security.audit.marshal.marshal-usage\",\"name\":\"python.lang.security.audit.marshal.marshal-usage\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.marshal.marshal-usage\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`.\"},\"help\":{\"markdown\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password)\\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\\n - [https://docs.python.org/3/library/hashlib.html#hashlib.scrypt](https://docs.python.org/3/library/hashlib.html#hashlib.scrypt)\\n\",\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"id\":\"python.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"name\":\"python.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.md5-used-as-password.md5-used-as-password\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Running `socket.bind` to 0.0.0.0, or empty string could unexpectedly expose the server publicly as it binds to all available interfaces. Consider instead getting correct address from an environment variable or configuration file.\"},\"help\":{\"markdown\":\"Running `socket.bind` to 0.0.0.0, or empty string could unexpectedly expose the server publicly as it binds to all available interfaces. Consider instead getting correct address from an environment variable or configuration file.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Running `socket.bind` to 0.0.0.0, or empty string could unexpectedly expose the server publicly as it binds to all available interfaces. Consider instead getting correct address from an environment variable or configuration file.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces\",\"id\":\"python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces\",\"name\":\"python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\",\"HIGH CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"certificate verification explicitly disabled, insecure connections possible\"},\"help\":{\"markdown\":\"certificate verification explicitly disabled, insecure connections possible\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"certificate verification explicitly disabled, insecure connections possible\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation\",\"id\":\"python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation\",\"name\":\"python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-295: Improper Certificate Validation\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications.\"},\"help\":{\"markdown\":\"Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.network.http-not-https-connection.http-not-https-connection)\\n - [https://urllib3.readthedocs.io/en/1.2.1/pools.html#urllib3.connectionpool.HTTPSConnectionPool](https://urllib3.readthedocs.io/en/1.2.1/pools.html#urllib3.connectionpool.HTTPSConnectionPool)\\n\",\"text\":\"Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.network.http-not-https-connection.http-not-https-connection\",\"id\":\"python.lang.security.audit.network.http-not-https-connection.http-not-https-connection\",\"name\":\"python.lang.security.audit.network.http-not-https-connection.http-not-https-connection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.network.http-not-https-connection.http-not-https-connection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code.\"},\"help\":{\"markdown\":\"Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.non-literal-import.non-literal-import)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.non-literal-import.non-literal-import\",\"id\":\"python.lang.security.audit.non-literal-import.non-literal-import\",\"name\":\"python.lang.security.audit.non-literal-import.non-literal-import\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-706: Use of Incorrectly-Resolved Name or Reference\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.non-literal-import.non-literal-import\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a paramiko host key policy that implicitly trusts a server\u0027s host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead.\"},\"help\":{\"markdown\":\"Detected a paramiko host key policy that implicitly trusts a server\u0027s host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key)\\n - [http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.AutoAddPolicy](http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.AutoAddPolicy)\\n\",\"text\":\"Detected a paramiko host key policy that implicitly trusts a server\u0027s host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key\",\"id\":\"python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key\",\"name\":\"python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-322: Key Exchange without Entity Authentication\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use \u0027ssl.create_default_context()\u0027 instead.\"},\"help\":{\"markdown\":\"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use \u0027ssl.create_default_context()\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command)\\n - [http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command](http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command)\\n - [https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py](https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py)\\n\",\"text\":\"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use \u0027ssl.create_default_context()\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command\",\"id\":\"python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command\",\"name\":\"python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT\"},\"help\":{\"markdown\":\"Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.python-reverse-shell.python-reverse-shell)\\n - [https://cwe.mitre.org/data/definitions/553.html](https://cwe.mitre.org/data/definitions/553.html)\\n\",\"text\":\"Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.python-reverse-shell.python-reverse-shell\",\"id\":\"python.lang.security.audit.python-reverse-shell.python-reverse-shell\",\"name\":\"python.lang.security.audit.python-reverse-shell.python-reverse-shell\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-553: Command Shell in Externally Accessible Directory\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.python-reverse-shell.python-reverse-shell\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\"},\"help\":{\"markdown\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sha224-hash.sha224-hash)\\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\\n\",\"text\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.sha224-hash.sha224-hash\",\"id\":\"python.lang.security.audit.sha224-hash.sha224-hash\",\"name\":\"python.lang.security.audit.sha224-hash.sha224-hash\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.sha224-hash.sha224-hash\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in an aiopg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can create parameterized queries like so: \u0027cur.execute(\\\"SELECT %s FROM table\\\", (user_value,))\u0027.\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in an aiopg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can create parameterized queries like so: \u0027cur.execute(\\\"SELECT %s FROM table\\\", (user_value,))\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli)\\n - [https://github.com/aio-libs/aiopg](https://github.com/aio-libs/aiopg)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in an aiopg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can create parameterized queries like so: \u0027cur.execute(\\\"SELECT %s FROM table\\\", (user_value,))\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli\",\"id\":\"python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli\",\"name\":\"python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: \u0027conn.fetch(\\\"SELECT $1 FROM table\\\", value)\u0027. You can also create prepared statements with \u0027Connection.prepare\u0027: \u0027stmt = conn.prepare(\\\"SELECT $1 FROM table\\\"); await stmt.fetch(user_value)\u0027\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: \u0027conn.fetch(\\\"SELECT $1 FROM table\\\", value)\u0027. You can also create prepared statements with \u0027Connection.prepare\u0027: \u0027stmt = conn.prepare(\\\"SELECT $1 FROM table\\\"); await stmt.fetch(user_value)\u0027\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli)\\n - [https://github.com/MagicStack/asyncpg](https://github.com/MagicStack/asyncpg)\\n - [https://magicstack.github.io/asyncpg/current/](https://magicstack.github.io/asyncpg/current/)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: \u0027conn.fetch(\\\"SELECT $1 FROM table\\\", value)\u0027. You can also create prepared statements with \u0027Connection.prepare\u0027: \u0027stmt = conn.prepare(\\\"SELECT $1 FROM table\\\"); await stmt.fetch(user_value)\u0027\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli\",\"id\":\"python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli\",\"name\":\"python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a pg8000 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: \u0027conn.run(\\\"SELECT :value FROM table\\\", value=myvalue)\u0027. You can also create prepared statements with \u0027conn.prepare\u0027: \u0027conn.prepare(\\\"SELECT (:v) FROM table\\\")\u0027\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a pg8000 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: \u0027conn.run(\\\"SELECT :value FROM table\\\", value=myvalue)\u0027. You can also create prepared statements with \u0027conn.prepare\u0027: \u0027conn.prepare(\\\"SELECT (:v) FROM table\\\")\u0027\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli)\\n - [https://github.com/tlocke/pg8000](https://github.com/tlocke/pg8000)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a pg8000 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: \u0027conn.run(\\\"SELECT :value FROM table\\\", value=myvalue)\u0027. You can also create prepared statements with \u0027conn.prepare\u0027: \u0027conn.prepare(\\\"SELECT (:v) FROM table\\\")\u0027\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli\",\"id\":\"python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli\",\"name\":\"python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a \u0027sql.SQL\u0027 string. You can also use the pyformat binding style to create parameterized queries. For example: \u0027cur.execute(SELECT * FROM table WHERE name=%s, user_input)\u0027\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a \u0027sql.SQL\u0027 string. You can also use the pyformat binding style to create parameterized queries. For example: \u0027cur.execute(SELECT * FROM table WHERE name=%s, user_input)\u0027\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli)\\n - [https://www.psycopg.org/docs/sql.html](https://www.psycopg.org/docs/sql.html)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a \u0027sql.SQL\u0027 string. You can also use the pyformat binding style to create parameterized queries. For example: \u0027cur.execute(SELECT * FROM table WHERE name=%s, user_input)\u0027\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli\",\"id\":\"python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli\",\"name\":\"python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027ssl.wrap_socket()\u0027 is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using \u0027ssl.SSLContext()\u0027 and use that to wrap a socket.\"},\"help\":{\"markdown\":\"\u0027ssl.wrap_socket()\u0027 is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using \u0027ssl.SSLContext()\u0027 and use that to wrap a socket.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated)\\n - [https://docs.python.org/3/library/ssl.html#ssl.wrap_socket](https://docs.python.org/3/library/ssl.html#ssl.wrap_socket)\\n - [https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket](https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket)\\n\",\"text\":\"\u0027ssl.wrap_socket()\u0027 is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using \u0027ssl.SSLContext()\u0027 and use that to wrap a socket.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated\",\"id\":\"python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated\",\"name\":\"python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found \u0027subprocess\u0027 function \u0027$FUNC\u0027 with \u0027shell=True\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027shell=False\u0027 instead.\"},\"help\":{\"markdown\":\"Found \u0027subprocess\u0027 function \u0027$FUNC\u0027 with \u0027shell=True\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027shell=False\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.subprocess-shell-true.subprocess-shell-true)\\n - [https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess](https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess)\\n - [https://docs.python.org/3/library/subprocess.html](https://docs.python.org/3/library/subprocess.html)\\n\",\"text\":\"Found \u0027subprocess\u0027 function \u0027$FUNC\u0027 with \u0027shell=True\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027shell=False\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.subprocess-shell-true.subprocess-shell-true\",\"id\":\"python.lang.security.audit.subprocess-shell-true.subprocess-shell-true\",\"name\":\"python.lang.security.audit.subprocess-shell-true.subprocess-shell-true\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.subprocess-shell-true.subprocess-shell-true\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named \u0027-e sh script.sh\u0027 -- this will execute a script when \u0027rsync\u0027 is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.\"},\"help\":{\"markdown\":\"Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named \u0027-e sh script.sh\u0027 -- this will execute a script when \u0027rsync\u0027 is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected)\\n - [https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt](https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt)\\n\",\"text\":\"Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named \u0027-e sh script.sh\u0027 -- this will execute a script when \u0027rsync\u0027 is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected\",\"id\":\"python.lang.security.audit.system-wildcard-detected.system-wildcard-detected\",\"name\":\"python.lang.security.audit.system-wildcard-detected.system-wildcard-detected\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-155: Improper Neutralization of Wildcards or Matching Symbols\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.system-wildcard-detected.system-wildcard-detected\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Telnet does not encrypt communications. Use SSH instead.\"},\"help\":{\"markdown\":\"Telnet does not encrypt communications. Use SSH instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.telnetlib.telnetlib)\\n - [https://docs.python.org/3/library/telnetlib.html](https://docs.python.org/3/library/telnetlib.html)\\n\",\"text\":\"Telnet does not encrypt communications. Use SSH instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.telnetlib.telnetlib\",\"id\":\"python.lang.security.audit.telnetlib.telnetlib\",\"name\":\"python.lang.security.audit.telnetlib.telnetlib\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.telnetlib.telnetlib\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use \u0027ssl.PROTOCOL_TLSv1_2\u0027 or higher.\"},\"help\":{\"markdown\":\"An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use \u0027ssl.PROTOCOL_TLSv1_2\u0027 or higher.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.weak-ssl-version.weak-ssl-version)\\n - [https://tools.ietf.org/html/rfc7568](https://tools.ietf.org/html/rfc7568)\\n - [https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html](https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html)\\n - [https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLSv1_2](https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLSv1_2)\\n\",\"text\":\"An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use \u0027ssl.PROTOCOL_TLSv1_2\u0027 or higher.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.audit.weak-ssl-version.weak-ssl-version\",\"id\":\"python.lang.security.audit.weak-ssl-version.weak-ssl-version\",\"name\":\"python.lang.security.audit.weak-ssl-version.weak-ssl-version\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.audit.weak-ssl-version.weak-ssl-version\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.\"},\"help\":{\"markdown\":\"Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-code-run.dangerous-interactive-code-run)\\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\\n\",\"text\":\"Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.dangerous-code-run.dangerous-interactive-code-run\",\"id\":\"python.lang.security.dangerous-code-run.dangerous-interactive-code-run\",\"name\":\"python.lang.security.dangerous-code-run.dangerous-interactive-code-run\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.dangerous-code-run.dangerous-interactive-code-run\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found non static data as an index to \u0027globals()\u0027. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use \u0027globals()\u0027.\"},\"help\":{\"markdown\":\"Found non static data as an index to \u0027globals()\u0027. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use \u0027globals()\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-globals-use.dangerous-globals-use)\\n - [https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186](https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186)\\n\",\"text\":\"Found non static data as an index to \u0027globals()\u0027. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use \u0027globals()\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.dangerous-globals-use.dangerous-globals-use\",\"id\":\"python.lang.security.dangerous-globals-use.dangerous-globals-use\",\"name\":\"python.lang.security.dangerous-globals-use.dangerous-globals-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-96: Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.dangerous-globals-use.dangerous-globals-use\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\"},\"help\":{\"markdown\":\"Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-os-exec.dangerous-os-exec)\\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\\n\",\"text\":\"Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.dangerous-os-exec.dangerous-os-exec\",\"id\":\"python.lang.security.dangerous-os-exec.dangerous-os-exec\",\"name\":\"python.lang.security.dangerous-os-exec.dangerous-os-exec\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.dangerous-os-exec.dangerous-os-exec\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\"},\"help\":{\"markdown\":\"Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-spawn-process.dangerous-spawn-process)\\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\\n\",\"text\":\"Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.dangerous-spawn-process.dangerous-spawn-process\",\"id\":\"python.lang.security.dangerous-spawn-process.dangerous-spawn-process\",\"name\":\"python.lang.security.dangerous-spawn-process.dangerous-spawn-process\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.dangerous-spawn-process.dangerous-spawn-process\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\"},\"help\":{\"markdown\":\"Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string)\\n - [https://bugs.python.org/issue43472](https://bugs.python.org/issue43472)\\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\\n\",\"text\":\"Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string\",\"id\":\"python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string\",\"name\":\"python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected subprocess function \u0027$FUNC\u0027 with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using \u0027shlex.escape()\u0027.\"},\"help\":{\"markdown\":\"Detected subprocess function \u0027$FUNC\u0027 with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using \u0027shlex.escape()\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use)\\n - [https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess](https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess)\\n - [https://docs.python.org/3/library/subprocess.html](https://docs.python.org/3/library/subprocess.html)\\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\\n\",\"text\":\"Detected subprocess function \u0027$FUNC\u0027 with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using \u0027shlex.escape()\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use\",\"id\":\"python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use\",\"name\":\"python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the \u0027subprocess\u0027 module instead, which is easier to use without accidentally exposing a command injection vulnerability.\"},\"help\":{\"markdown\":\"Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the \u0027subprocess\u0027 module instead, which is easier to use without accidentally exposing a command injection vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-system-call.dangerous-system-call)\\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\\n\",\"text\":\"Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the \u0027subprocess\u0027 module instead, which is easier to use without accidentally exposing a command injection vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.dangerous-system-call.dangerous-system-call\",\"id\":\"python.lang.security.dangerous-system-call.dangerous-system-call\",\"name\":\"python.lang.security.dangerous-system-call.dangerous-system-call\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.dangerous-system-call.dangerous-system-call\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\"},\"help\":{\"markdown\":\"Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp)\\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\\n\",\"text\":\"Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp\",\"id\":\"python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp\",\"name\":\"python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module.\"},\"help\":{\"markdown\":\"Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle)\\n - [https://github.com/jsonpickle/jsonpickle#jsonpickle](https://github.com/jsonpickle/jsonpickle#jsonpickle)\\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\\n\",\"text\":\"Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle\",\"id\":\"python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle\",\"name\":\"python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead.\"},\"help\":{\"markdown\":\"Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load)\\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\\n\",\"text\":\"Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load\",\"id\":\"python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load\",\"name\":\"python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ=\u0027rt\u0027)` or `YAML(typ=\u0027safe\u0027)` instead.\"},\"help\":{\"markdown\":\"Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ=\u0027rt\u0027)` or `YAML(typ=\u0027safe\u0027)` instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel)\\n - [https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ](https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ)\\n\",\"text\":\"Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ=\u0027rt\u0027)` or `YAML(typ=\u0027safe\u0027)` instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel\",\"id\":\"python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel\",\"name\":\"python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\"},\"help\":{\"markdown\":\"Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle)\\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\\n\",\"text\":\"Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle\",\"id\":\"python.lang.security.deserialization.pickle.avoid-cPickle\",\"name\":\"python.lang.security.deserialization.pickle.avoid-cPickle\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.deserialization.pickle.avoid-cPickle\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Avoid using `dill`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\"},\"help\":{\"markdown\":\"Avoid using `dill`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-dill)\\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\\n\",\"text\":\"Avoid using `dill`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-dill\",\"id\":\"python.lang.security.deserialization.pickle.avoid-dill\",\"name\":\"python.lang.security.deserialization.pickle.avoid-dill\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.deserialization.pickle.avoid-dill\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\"},\"help\":{\"markdown\":\"Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-pickle)\\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\\n\",\"text\":\"Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-pickle\",\"id\":\"python.lang.security.deserialization.pickle.avoid-pickle\",\"name\":\"python.lang.security.deserialization.pickle.avoid-pickle\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.deserialization.pickle.avoid-pickle\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Avoid using `shelve`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\"},\"help\":{\"markdown\":\"Avoid using `shelve`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-shelve)\\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\\n\",\"text\":\"Avoid using `shelve`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-shelve\",\"id\":\"python.lang.security.deserialization.pickle.avoid-shelve\",\"name\":\"python.lang.security.deserialization.pickle.avoid-shelve\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.deserialization.pickle.avoid-shelve\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\"},\"help\":{\"markdown\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1)\\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\\n\",\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1\",\"id\":\"python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1\",\"name\":\"python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using \u0027SHA256\u0027 or a similar function instead.\"},\"help\":{\"markdown\":\"Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using \u0027SHA256\u0027 or a similar function instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-hash-function.insecure-hash-function)\\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\\n\",\"text\":\"Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using \u0027SHA256\u0027 or a similar function instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.insecure-hash-function.insecure-hash-function\",\"id\":\"python.lang.security.insecure-hash-function.insecure-hash-function\",\"name\":\"python.lang.security.insecure-hash-function.insecure-hash-function\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.insecure-hash-function.insecure-hash-function\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security.\"},\"help\":{\"markdown\":\"Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version)\\n - [https://www.landh.tech/blog/20230811-sandwich-attack/](https://www.landh.tech/blog/20230811-sandwich-attack/)\\n\",\"text\":\"Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version\",\"id\":\"python.lang.security.insecure-uuid-version.insecure-uuid-version\",\"name\":\"python.lang.security.insecure-uuid-version.insecure-uuid-version\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-330: Use of Insufficiently Random Values\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.insecure-uuid-version.insecure-uuid-version\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use \u0027ssl.create_default_context\u0027 instead.\"},\"help\":{\"markdown\":\"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use \u0027ssl.create_default_context\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context)\\n - [https://docs.python.org/3/library/ssl.html#ssl-security](https://docs.python.org/3/library/ssl.html#ssl-security)\\n - [https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection](https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection)\\n\",\"text\":\"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use \u0027ssl.create_default_context\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context\",\"id\":\"python.lang.security.unverified-ssl-context.unverified-ssl-context\",\"name\":\"python.lang.security.unverified-ssl-context.unverified-ssl-context\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-295: Improper Certificate Validation\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.unverified-ssl-context.unverified-ssl-context\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and \\\"XML bombs\\\" can cause denial of service. Do not use this library to parse untrusted input. Instead the Python documentation recommends using `defusedxml`.\"},\"help\":{\"markdown\":\"The native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and \\\"XML bombs\\\" can cause denial of service. Do not use this library to parse untrusted input. Instead the Python documentation recommends using `defusedxml`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.use-defused-xml-parse.use-defused-xml-parse)\\n - [https://docs.python.org/3/library/xml.html](https://docs.python.org/3/library/xml.html)\\n - [https://github.com/tiran/defusedxml](https://github.com/tiran/defusedxml)\\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\\n\",\"text\":\"The native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and \\\"XML bombs\\\" can cause denial of service. Do not use this library to parse untrusted input. Instead the Python documentation recommends using `defusedxml`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.use-defused-xml-parse.use-defused-xml-parse\",\"id\":\"python.lang.security.use-defused-xml-parse.use-defused-xml-parse\",\"name\":\"python.lang.security.use-defused-xml-parse.use-defused-xml-parse\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.use-defused-xml-parse.use-defused-xml-parse\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead.\"},\"help\":{\"markdown\":\"Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc)\\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\\n\",\"text\":\"Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc\",\"id\":\"python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc\",\"name\":\"python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-776: Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected Blowfish cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\"},\"help\":{\"markdown\":\"Detected Blowfish cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish)\\n - [https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption](https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption)\\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\\n\",\"text\":\"Detected Blowfish cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish\",\"id\":\"python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish\",\"name\":\"python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\"},\"help\":{\"markdown\":\"Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des)\\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\\n\",\"text\":\"Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des\",\"id\":\"python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des\",\"name\":\"python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected RC2 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\"},\"help\":{\"markdown\":\"Detected RC2 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2)\\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\\n\",\"text\":\"Detected RC2 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2\",\"id\":\"python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2\",\"name\":\"python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\"},\"help\":{\"markdown\":\"Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4)\\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\\n\",\"text\":\"Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4\",\"id\":\"python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4\",\"name\":\"python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead.\"},\"help\":{\"markdown\":\"Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor)\\n - [https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption](https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption)\\n\",\"text\":\"Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor\",\"id\":\"python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor\",\"name\":\"python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\"},\"help\":{\"markdown\":\"Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2)\\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\\n\",\"text\":\"Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2\",\"id\":\"python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2\",\"name\":\"python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\"},\"help\":{\"markdown\":\"Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4)\\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\\n\",\"text\":\"Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4\",\"id\":\"python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4\",\"name\":\"python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\"},\"help\":{\"markdown\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5)\\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\\n\",\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5\",\"id\":\"python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5\",\"name\":\"python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\"},\"help\":{\"markdown\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1)\\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\\n\",\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1\",\"id\":\"python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1\",\"name\":\"python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\"},\"help\":{\"markdown\":\"Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size)\\n - [https://www.pycryptodome.org/src/public_key/dsa](https://www.pycryptodome.org/src/public_key/dsa)\\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf)\\n\",\"text\":\"Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size\",\"id\":\"python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size\",\"name\":\"python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an insufficient key size for RSA. NIST recommends a key size of 3072 or higher.\"},\"help\":{\"markdown\":\"Detected an insufficient key size for RSA. NIST recommends a key size of 3072 or higher.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\\n - [https://www.pycryptodome.org/src/public_key/rsa#rsa](https://www.pycryptodome.org/src/public_key/rsa#rsa)\\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf)\\n\",\"text\":\"Detected an insufficient key size for RSA. NIST recommends a key size of 3072 or higher.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size\",\"id\":\"python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size\",\"name\":\"python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).\"},\"help\":{\"markdown\":\"Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth)\\n - [https://cwe.mitre.org/data/definitions/477.html](https://cwe.mitre.org/data/definitions/477.html)\\n\",\"text\":\"Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth\",\"id\":\"python.pymongo.security.mongodb.mongo-client-bad-auth\",\"name\":\"python.pymongo.security.mongodb.mongo-client-bad-auth\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-477: Use of Obsolete Function\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.pymongo.security.mongodb.mongo-client-bad-auth\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected data rendered directly to the end user via \u0027Response\u0027. This bypasses Pyramid\u0027s built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Pyramid\u0027s template engines to safely render HTML.\"},\"help\":{\"markdown\":\"Detected data rendered directly to the end user via \u0027Response\u0027. This bypasses Pyramid\u0027s built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Pyramid\u0027s template engines to safely render HTML.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected data rendered directly to the end user via \u0027Response\u0027. This bypasses Pyramid\u0027s built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Pyramid\u0027s template engines to safely render HTML.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response\",\"id\":\"python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response\",\"name\":\"python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \\\"bindparams\\\". Use bindParams to securely bind user-input to SQL statements.\"},\"help\":{\"markdown\":\"Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \\\"bindparams\\\". Use bindParams to securely bind user-input to SQL statements.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection)\\n - [https://docs.sqlalchemy.org/en/14/tutorial/data_select.html#tutorial-selecting-data](https://docs.sqlalchemy.org/en/14/tutorial/data_select.html#tutorial-selecting-data)\\n\",\"text\":\"Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \\\"bindparams\\\". Use bindParams to securely bind user-input to SQL statements.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection\",\"id\":\"python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection\",\"name\":\"python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation.\"},\"help\":{\"markdown\":\"Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation)\\n - [https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib](https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib)\\n\",\"text\":\"Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation\",\"id\":\"python.requests.security.disabled-cert-validation.disabled-cert-validation\",\"name\":\"python.requests.security.disabled-cert-validation.disabled-cert-validation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-295: Improper Certificate Validation\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.requests.security.disabled-cert-validation.disabled-cert-validation\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Authentication detected over HTTP. HTTP does not provide any encryption or protection for these authentication credentials. This may expose these credentials to unauthorized parties. Use \u0027https://\u0027 instead.\"},\"help\":{\"markdown\":\"Authentication detected over HTTP. HTTP does not provide any encryption or protection for these authentication credentials. This may expose these credentials to unauthorized parties. Use \u0027https://\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.requests.security.no-auth-over-http.no-auth-over-http)\\n - [https://semgrep.dev/blog/2020/bento-check-no-auth-over-http/](https://semgrep.dev/blog/2020/bento-check-no-auth-over-http/)\\n - [https://bento.dev/checks/requests/no-auth-over-http/](https://bento.dev/checks/requests/no-auth-over-http/)\\n\",\"text\":\"Authentication detected over HTTP. HTTP does not provide any encryption or protection for these authentication credentials. This may expose these credentials to unauthorized parties. Use \u0027https://\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.requests.security.no-auth-over-http.no-auth-over-http\",\"id\":\"python.requests.security.no-auth-over-http.no-auth-over-http\",\"name\":\"python.requests.security.no-auth-over-http.no-auth-over-http\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-523: Unprotected Transport of Credentials\",\"LOW CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.requests.security.no-auth-over-http.no-auth-over-http\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected string concatenation or formatting in a call to a command via \u0027sh\u0027. This could be a command injection vulnerability if the data is user-controlled. Instead, use a list and append the argument.\"},\"help\":{\"markdown\":\"Detected string concatenation or formatting in a call to a command via \u0027sh\u0027. This could be a command injection vulnerability if the data is user-controlled. Instead, use a list and append the argument.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.sh.security.string-concat.string-concat)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected string concatenation or formatting in a call to a command via \u0027sh\u0027. This could be a command injection vulnerability if the data is user-controlled. Instead, use a list and append the argument.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.sh.security.string-concat.string-concat\",\"id\":\"python.sh.security.string-concat.string-concat\",\"name\":\"python.sh.security.string-concat.string-concat\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.sh.security.string-concat.string-concat\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Rather than adding one element at a time, consider batch loading to improve performance.\"},\"help\":{\"markdown\":\"Rather than adding one element at a time, consider batch loading to improve performance.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.batch-import)\\n\",\"text\":\"Rather than adding one element at a time, consider batch loading to improve performance.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.batch-import\",\"id\":\"python.sqlalchemy.performance.performance-improvements.batch-import\",\"name\":\"python.sqlalchemy.performance.performance-improvements.batch-import\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.sqlalchemy.performance.performance-improvements.batch-import\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Using QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side.\"},\"help\":{\"markdown\":\"Using QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.len-all-count)\\n\",\"text\":\"Using QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.len-all-count\",\"id\":\"python.sqlalchemy.performance.performance-improvements.len-all-count\",\"name\":\"python.sqlalchemy.performance.performance-improvements.len-all-count\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.sqlalchemy.performance.performance-improvements.len-all-count\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"sqlalchemy.text passes the constructed SQL statement to the database mostly unchanged. This means that the usual SQL injection protections are not applied and this function is vulnerable to SQL injection if user input can reach here. Use normal SQLAlchemy operators (such as `or_()`, `and_()`, etc.) to construct SQL.\"},\"help\":{\"markdown\":\"sqlalchemy.text passes the constructed SQL statement to the database mostly unchanged. This means that the usual SQL injection protections are not applied and this function is vulnerable to SQL injection if user input can reach here. Use normal SQLAlchemy operators (such as `or_()`, `and_()`, etc.) to construct SQL.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text)\\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\\n\",\"text\":\"sqlalchemy.text passes the constructed SQL statement to the database mostly unchanged. This means that the usual SQL injection protections are not applied and this function is vulnerable to SQL injection if user input can reach here. Use normal SQLAlchemy operators (such as `or_()`, `and_()`, etc.) to construct SQL.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text\",\"id\":\"python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text\",\"name\":\"python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.\"},\"help\":{\"markdown\":\"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query)\\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\\n\",\"text\":\"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query\",\"id\":\"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query\",\"name\":\"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \\\"bindparams\\\". Use bindParams to securely bind user-input to SQL statements.\"},\"help\":{\"markdown\":\"Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \\\"bindparams\\\". Use bindParams to securely bind user-input to SQL statements.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \\\"bindparams\\\". Use bindParams to securely bind user-input to SQL statements.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection\",\"id\":\"python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection\",\"name\":\"python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Using non-constant TwiML (Twilio Markup Language) argument when creating a Twilio conversation could allow the injection of additional TwiML commands\"},\"help\":{\"markdown\":\"Using non-constant TwiML (Twilio Markup Language) argument when creating a Twilio conversation could allow the injection of additional TwiML commands\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/python.twilio.security.twiml-injection.twiml-injection)\\n - [https://codeberg.org/fennix/funjection](https://codeberg.org/fennix/funjection)\\n\",\"text\":\"Using non-constant TwiML (Twilio Markup Language) argument when creating a Twilio conversation could allow the injection of additional TwiML commands\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/python.twilio.security.twiml-injection.twiml-injection\",\"id\":\"python.twilio.security.twiml-injection.twiml-injection\",\"name\":\"python.twilio.security.twiml-injection.twiml-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-91: XML Injection\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: python.twilio.security.twiml-injection.twiml-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql [\\\"SELECT title FROM posts WHERE author = ? AND created \u003e ?\\\", author_id, start_date]`\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql [\\\"SELECT title FROM posts WHERE author = ? AND created \u003e ?\\\", author_id, start_date]`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli)\\n - [https://guides.rubyonrails.org/active_record_querying.html#finding-by-sql](https://guides.rubyonrails.org/active_record_querying.html#finding-by-sql)\\n\",\"text\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql [\\\"SELECT title FROM posts WHERE author = ? AND created \u003e ?\\\", author_id, start_date]`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli\",\"id\":\"ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli\",\"name\":\"ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli)\\n - [https://github.com/brianmario/mysql2](https://github.com/brianmario/mysql2)\\n\",\"text\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli\",\"id\":\"ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli\",\"name\":\"ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params(\u0027SELECT $1 AS a, $2 AS b, $3 AS c\u0027, [1, 2, nil])`\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params(\u0027SELECT $1 AS a, $2 AS b, $3 AS c\u0027, [1, 2, nil])`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.pg-sqli.pg-sqli)\\n - [https://www.rubydoc.info/gems/pg/PG/Connection](https://www.rubydoc.info/gems/pg/PG/Connection)\\n\",\"text\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params(\u0027SELECT $1 AS a, $2 AS b, $3 AS c\u0027, [1, 2, nil])`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.aws-lambda.security.pg-sqli.pg-sqli\",\"id\":\"ruby.aws-lambda.security.pg-sqli.pg-sqli\",\"name\":\"ruby.aws-lambda.security.pg-sqli.pg-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.aws-lambda.security.pg-sqli.pg-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB[\u0027select * from items where name = ?\u0027, name]`\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB[\u0027select * from items where name = ?\u0027, name]`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli)\\n - [https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries](https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries)\\n\",\"text\":\"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB[\u0027select * from items where name = ?\u0027, name]`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli\",\"id\":\"ruby.aws-lambda.security.sequel-sqli.sequel-sqli\",\"name\":\"ruby.aws-lambda.security.sequel-sqli.sequel-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.aws-lambda.security.sequel-sqli.sequel-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning \u0027primitive\u0027 types such as strings, arrays, hashes, numbers and nil.\"},\"help\":{\"markdown\":\"Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning \u0027primitive\u0027 types such as strings, arrays, hashes, numbers and nil.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization)\\n - [https://ruby-doc.org/core-3.1.2/doc/security_rdoc.html](https://ruby-doc.org/core-3.1.2/doc/security_rdoc.html)\\n - [https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ](https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ)\\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb)\\n\",\"text\":\"Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning \u0027primitive\u0027 types such as strings, arrays, hashes, numbers and nil.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization\",\"id\":\"ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization\",\"name\":\"ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\"},\"help\":{\"markdown\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string)\\n - [https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet](https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet)\\n\",\"text\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string\",\"id\":\"ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string\",\"name\":\"ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims.\"},\"help\":{\"markdown\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify)\\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\\n\",\"text\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify\",\"id\":\"ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify\",\"name\":\"ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-345: Insufficient Verification of Data Authenticity\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\"},\"help\":{\"markdown\":\"The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data\",\"id\":\"ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data\",\"name\":\"ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"LOW CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\"},\"help\":{\"markdown\":\"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials)\\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\\n\",\"text\":\"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials\",\"id\":\"ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials\",\"name\":\"ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"LOW CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\"},\"help\":{\"markdown\":\"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret\",\"id\":\"ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret\",\"name\":\"ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"LOW CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\"},\"help\":{\"markdown\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg\",\"id\":\"ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg\",\"name\":\"ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\"},\"help\":{\"markdown\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.audit.sha224-hash.sha224-hash)\\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\\n\",\"text\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.audit.sha224-hash.sha224-hash\",\"id\":\"ruby.lang.security.audit.sha224-hash.sha224-hash\",\"name\":\"ruby.lang.security.audit.sha224-hash.sha224-hash\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.audit.sha224-hash.sha224-hash\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Checks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with MARSHAL or CSV can potentially be dangerous. Use JSON in a secure fashion instead.\"},\"help\":{\"markdown\":\"Checks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with MARSHAL or CSV can potentially be dangerous. Use JSON in a secure fashion instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.bad-deserialization.bad-deserialization)\\n - [https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ](https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ)\\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb)\\n\",\"text\":\"Checks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with MARSHAL or CSV can potentially be dangerous. Use JSON in a secure fashion instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.bad-deserialization.bad-deserialization\",\"id\":\"ruby.lang.security.bad-deserialization.bad-deserialization\",\"name\":\"ruby.lang.security.bad-deserialization.bad-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.bad-deserialization.bad-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice.\"},\"help\":{\"markdown\":\"Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization)\\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb)\\n - [https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/](https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/)\\n\",\"text\":\"Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization\",\"id\":\"ruby.lang.security.cookie-serialization.cookie-serialization\",\"name\":\"ruby.lang.security.cookie-serialization.cookie-serialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.cookie-serialization.cookie-serialization\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Checks for strong parameter bypass through usage of create_with. Create_with bypasses strong parameter protection, which could allow attackers to set arbitrary attributes on models. To fix this vulnerability, either remove all create_with calls or use the permit function to specify tags that are allowed to be set.\"},\"help\":{\"markdown\":\"Checks for strong parameter bypass through usage of create_with. Create_with bypasses strong parameter protection, which could allow attackers to set arbitrary attributes on models. To fix this vulnerability, either remove all create_with calls or use the permit function to specify tags that are allowed to be set.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.create-with.create-with)\\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_create_with.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_create_with.rb)\\n - [https://groups.google.com/g/rubyonrails-security/c/M4chq5Sb540/m/CC1Fh0Y_NWwJ](https://groups.google.com/g/rubyonrails-security/c/M4chq5Sb540/m/CC1Fh0Y_NWwJ)\\n\",\"text\":\"Checks for strong parameter bypass through usage of create_with. Create_with bypasses strong parameter protection, which could allow attackers to set arbitrary attributes on models. To fix this vulnerability, either remove all create_with calls or use the permit function to specify tags that are allowed to be set.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.create-with.create-with\",\"id\":\"ruby.lang.security.create-with.create-with\",\"name\":\"ruby.lang.security.create-with.create-with\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.create-with.create-with\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected non-static command inside $EXEC. Audit the input to \u0027$EXEC\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\"},\"help\":{\"markdown\":\"Detected non-static command inside $EXEC. Audit the input to \u0027$EXEC\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec)\\n - [https://guides.rubyonrails.org/security.html#command-line-injection](https://guides.rubyonrails.org/security.html#command-line-injection)\\n\",\"text\":\"Detected non-static command inside $EXEC. Audit the input to \u0027$EXEC\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec\",\"id\":\"ruby.lang.security.dangerous-exec.dangerous-exec\",\"name\":\"ruby.lang.security.dangerous-exec.dangerous-exec\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.dangerous-exec.dangerous-exec\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected non-static command inside \u0027open\u0027. Audit the input to \u0027open\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\"},\"help\":{\"markdown\":\"Detected non-static command inside \u0027open\u0027. Audit the input to \u0027open\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected non-static command inside \u0027open\u0027. Audit the input to \u0027open\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open\",\"id\":\"ruby.lang.security.dangerous-open.dangerous-open\",\"name\":\"ruby.lang.security.dangerous-open.dangerous-open\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.dangerous-open.dangerous-open\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected non-static command inside $PIPE. Audit the input to \u0027$PIPE\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\"},\"help\":{\"markdown\":\"Detected non-static command inside $PIPE. Audit the input to \u0027$PIPE\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected non-static command inside $PIPE. Audit the input to \u0027$PIPE\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline\",\"id\":\"ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline\",\"name\":\"ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\"},\"help\":{\"markdown\":\"Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell\",\"id\":\"ruby.lang.security.dangerous-subshell.dangerous-subshell\",\"name\":\"ruby.lang.security.dangerous-subshell.dangerous-subshell\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.dangerous-subshell.dangerous-subshell\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027syscall\u0027 is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.\"},\"help\":{\"markdown\":\"\u0027syscall\u0027 is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"\u0027syscall\u0027 is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall\",\"id\":\"ruby.lang.security.dangerous-syscall.dangerous-syscall\",\"name\":\"ruby.lang.security.dangerous-syscall.dangerous-syscall\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.dangerous-syscall.dangerous-syscall\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a possible ZeroDivisionError.\"},\"help\":{\"markdown\":\"Detected a possible ZeroDivisionError.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.divide-by-zero.divide-by-zero)\\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_divide_by_zero.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_divide_by_zero.rb)\\n\",\"text\":\"Detected a possible ZeroDivisionError.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.divide-by-zero.divide-by-zero\",\"id\":\"ruby.lang.security.divide-by-zero.divide-by-zero\",\"name\":\"ruby.lang.security.divide-by-zero.divide-by-zero\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-369: Divide By Zero\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.divide-by-zero.divide-by-zero\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Special requests can determine whether a file exists on a filesystem that\u0027s outside the Rails app\u0027s root directory. To fix this, set config.serve_static_assets = false.\"},\"help\":{\"markdown\":\"Special requests can determine whether a file exists on a filesystem that\u0027s outside the Rails app\u0027s root directory. To fix this, set config.serve_static_assets = false.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.file-disclosure.file-disclosure)\\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_file_disclosure.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_file_disclosure.rb)\\n - [https://groups.google.com/g/rubyonrails-security/c/23fiuwb1NBA/m/MQVM1-5GkPMJ](https://groups.google.com/g/rubyonrails-security/c/23fiuwb1NBA/m/MQVM1-5GkPMJ)\\n\",\"text\":\"Special requests can determine whether a file exists on a filesystem that\u0027s outside the Rails app\u0027s root directory. To fix this, set config.serve_static_assets = false.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.file-disclosure.file-disclosure\",\"id\":\"ruby.lang.security.file-disclosure.file-disclosure\",\"name\":\"ruby.lang.security.file-disclosure.file-disclosure\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.file-disclosure.file-disclosure\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true.\"},\"help\":{\"markdown\":\"Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.force-ssl-false.force-ssl-false)\\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb)\\n\",\"text\":\"Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.force-ssl-false.force-ssl-false\",\"id\":\"ruby.lang.security.force-ssl-false.force-ssl-false\",\"name\":\"ruby.lang.security.force-ssl-false.force-ssl-false\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-311: Missing Encryption of Sensitive Data\",\"HIGH CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.force-ssl-false.force-ssl-false\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.\"},\"help\":{\"markdown\":\"Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\\n\",\"text\":\"Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller\",\"id\":\"ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller\",\"name\":\"ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"HIGH CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file.\"},\"help\":{\"markdown\":\"Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase)\\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\\n\",\"text\":\"Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase\",\"id\":\"ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase\",\"name\":\"ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"HIGH CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher.\"},\"help\":{\"markdown\":\"The RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\\n\",\"text\":\"The RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size\",\"id\":\"ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size\",\"name\":\"ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks if HTML escaping is globally disabled for JSON output. This could lead to XSS.\"},\"help\":{\"markdown\":\"Checks if HTML escaping is globally disabled for JSON output. This could lead to XSS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.json-entity-escape.json-entity-escape)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Checks if HTML escaping is globally disabled for JSON output. This could lead to XSS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.json-entity-escape.json-entity-escape\",\"id\":\"ruby.lang.security.json-entity-escape.json-entity-escape\",\"name\":\"ruby.lang.security.json-entity-escape.json-entity-escape\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.json-entity-escape.json-entity-escape\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Mass assignment protection disabled for \u0027$MODEL\u0027. This could permit assignment to sensitive model fields without intention. Instead, use \u0027attr_accessible\u0027 for the model or disable mass assigment using \u0027config.active_record.whitelist_attributes = true\u0027. \u0027:without_protection =\u003e true\u0027 must be removed for this to take effect.\"},\"help\":{\"markdown\":\"Mass assignment protection disabled for \u0027$MODEL\u0027. This could permit assignment to sensitive model fields without intention. Instead, use \u0027attr_accessible\u0027 for the model or disable mass assigment using \u0027config.active_record.whitelist_attributes = true\u0027. \u0027:without_protection =\u003e true\u0027 must be removed for this to take effect.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled)\\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\\n\",\"text\":\"Mass assignment protection disabled for \u0027$MODEL\u0027. This could permit assignment to sensitive model fields without intention. Instead, use \u0027attr_accessible\u0027 for the model or disable mass assigment using \u0027config.active_record.whitelist_attributes = true\u0027. \u0027:without_protection =\u003e true\u0027 must be removed for this to take effect.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled\",\"id\":\"ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled\",\"name\":\"ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem.\"},\"help\":{\"markdown\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.md5-used-as-password.md5-used-as-password)\\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\\n\",\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.md5-used-as-password.md5-used-as-password\",\"id\":\"ruby.lang.security.md5-used-as-password.md5-used-as-password\",\"name\":\"ruby.lang.security.md5-used-as-password.md5-used-as-password\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.md5-used-as-password.md5-used-as-password\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected controller which does not enable cross-site request forgery protections using \u0027protect_from_forgery\u0027. Add \u0027protect_from_forgery :with =\u003e :exception\u0027 to your controller class.\"},\"help\":{\"markdown\":\"Detected controller which does not enable cross-site request forgery protections using \u0027protect_from_forgery\u0027. Add \u0027protect_from_forgery :with =\u003e :exception\u0027 to your controller class.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.missing-csrf-protection.missing-csrf-protection)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Detected controller which does not enable cross-site request forgery protections using \u0027protect_from_forgery\u0027. Add \u0027protect_from_forgery :with =\u003e :exception\u0027 to your controller class.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.missing-csrf-protection.missing-csrf-protection\",\"id\":\"ruby.lang.security.missing-csrf-protection.missing-csrf-protection\",\"name\":\"ruby.lang.security.missing-csrf-protection.missing-csrf-protection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-352: Cross-Site Request Forgery (CSRF)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.missing-csrf-protection.missing-csrf-protection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Checks for dangerous permitted attributes that can lead to mass assignment vulnerabilities. Query parameters allowed using permit and attr_accessible are checked for allowance of dangerous attributes admin, banned, role, and account_id. Also checks for usages of params.permit!, which allows everything. Fix: don\u0027t allow admin, banned, role, and account_id using permit or attr_accessible.\"},\"help\":{\"markdown\":\"Checks for dangerous permitted attributes that can lead to mass assignment vulnerabilities. Query parameters allowed using permit and attr_accessible are checked for allowance of dangerous attributes admin, banned, role, and account_id. Also checks for usages of params.permit!, which allows everything. Fix: don\u0027t allow admin, banned, role, and account_id using permit or attr_accessible.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.model-attr-accessible.model-attr-accessible)\\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attr_accessible.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attr_accessible.rb)\\n\",\"text\":\"Checks for dangerous permitted attributes that can lead to mass assignment vulnerabilities. Query parameters allowed using permit and attr_accessible are checked for allowance of dangerous attributes admin, banned, role, and account_id. Also checks for usages of params.permit!, which allows everything. Fix: don\u0027t allow admin, banned, role, and account_id using permit or attr_accessible.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.model-attr-accessible.model-attr-accessible\",\"id\":\"ruby.lang.security.model-attr-accessible.model-attr-accessible\",\"name\":\"ruby.lang.security.model-attr-accessible.model-attr-accessible\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.model-attr-accessible.model-attr-accessible\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Checks for models that do not use attr_accessible. This means there is no limiting of which variables can be manipulated through mass assignment. For newer Rails applications, parameters should be allowlisted using strong parameters. For older Rails versions, they should be allowlisted using strong_attributes.\"},\"help\":{\"markdown\":\"Checks for models that do not use attr_accessible. This means there is no limiting of which variables can be manipulated through mass assignment. For newer Rails applications, parameters should be allowlisted using strong parameters. For older Rails versions, they should be allowlisted using strong_attributes.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible)\\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attributes.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attributes.rb)\\n\",\"text\":\"Checks for models that do not use attr_accessible. This means there is no limiting of which variables can be manipulated through mass assignment. For newer Rails applications, parameters should be allowlisted using strong parameters. For older Rails versions, they should be allowlisted using strong_attributes.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible\",\"id\":\"ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible\",\"name\":\"ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Use of eval with user-controllable input detected. This can lead to attackers running arbitrary code. Ensure external data does not reach here, otherwise this is a security vulnerability. Consider other ways to do this without eval.\"},\"help\":{\"markdown\":\"Use of eval with user-controllable input detected. This can lead to attackers running arbitrary code. Ensure external data does not reach here, otherwise this is a security vulnerability. Consider other ways to do this without eval.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.no-eval.ruby-eval)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Use of eval with user-controllable input detected. This can lead to attackers running arbitrary code. Ensure external data does not reach here, otherwise this is a security vulnerability. Consider other ways to do this without eval.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.no-eval.ruby-eval\",\"id\":\"ruby.lang.security.no-eval.ruby-eval\",\"name\":\"ruby.lang.security.no-eval.ruby-eval\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.no-eval.ruby-eval\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this.\"},\"help\":{\"markdown\":\"Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.no-send.bad-send)\\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb)\\n - [https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html](https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html)\\n\",\"text\":\"Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.no-send.bad-send\",\"id\":\"ruby.lang.security.no-send.bad-send\",\"name\":\"ruby.lang.security.no-send.bad-send\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.no-send.bad-send\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks. Use \u0027OpenSSL::SSL::VERIFY_PEER\u0027 instead.\"},\"help\":{\"markdown\":\"Detected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks. Use \u0027OpenSSL::SSL::VERIFY_PEER\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Detected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks. Use \u0027OpenSSL::SSL::VERIFY_PEER\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify\",\"id\":\"ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify\",\"name\":\"ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-295: Improper Certificate Validation\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don\u0027t use :without_protection =\u003e true. Instead, configure attr_accessible to control attribute access.\"},\"help\":{\"markdown\":\"Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don\u0027t use :without_protection =\u003e true. Instead, configure attr_accessible to control attribute access.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln)\\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb)\\n - [https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/](https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/)\\n\",\"text\":\"Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don\u0027t use :without_protection =\u003e true. Instead, configure attr_accessible to control attribute access.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln\",\"id\":\"ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln\",\"name\":\"ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Should not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions, leading to potential collision attacks. Use SHA256 or other hashing functions instead.\"},\"help\":{\"markdown\":\"Should not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions, leading to potential collision attacks. Use SHA256 or other hashing functions instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.weak-hashes-md5.weak-hashes-md5)\\n - [https://www.ibm.com/support/pages/security-bulletin-vulnerability-md5-signature-and-hash-algorithm-affects-sterling-integrator-and-sterling-file-gateway-cve-2015-7575](https://www.ibm.com/support/pages/security-bulletin-vulnerability-md5-signature-and-hash-algorithm-affects-sterling-integrator-and-sterling-file-gateway-cve-2015-7575)\\n\",\"text\":\"Should not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions, leading to potential collision attacks. Use SHA256 or other hashing functions instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.weak-hashes-md5.weak-hashes-md5\",\"id\":\"ruby.lang.security.weak-hashes-md5.weak-hashes-md5\",\"name\":\"ruby.lang.security.weak-hashes-md5.weak-hashes-md5\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.weak-hashes-md5.weak-hashes-md5\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.\"},\"help\":{\"markdown\":\"Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1)\\n - [https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html](https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html)\\n - [https://shattered.io/](https://shattered.io/)\\n\",\"text\":\"Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1\",\"id\":\"ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1\",\"name\":\"ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This gets data from session using user inputs. A malicious user may be able to retrieve information from your session that you didn\u0027t intend them to. Do not use user input as a session key.\"},\"help\":{\"markdown\":\"## Remediation\\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\\n\\n## References\\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\\n\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation)\\n - [https://brakemanscanner.org/docs/warning_types/session_manipulation/](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\\n\",\"text\":\"## Remediation\\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\\n\\n## References\\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\\n\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation\",\"id\":\"ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation\",\"name\":\"ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-276: Incorrect Default Permissions\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Allowing an attacker to manipulate the session may lead to unintended behavior.\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\"},\"help\":{\"markdown\":\"Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access)\\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown)\\n\",\"text\":\"Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access\",\"id\":\"ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access\",\"name\":\"ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\"},\"help\":{\"markdown\":\"Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call)\\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown)\\n\",\"text\":\"Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call\",\"id\":\"ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call\",\"name\":\"ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\"},\"help\":{\"markdown\":\"Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request)\\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown)\\n\",\"text\":\"Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request\",\"id\":\"ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request\",\"name\":\"ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\"},\"help\":{\"markdown\":\"Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call)\\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown)\\n\",\"text\":\"Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call\",\"id\":\"ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call\",\"name\":\"ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.\"},\"help\":{\"markdown\":\"Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions\",\"id\":\"ruby.rails.security.audit.detailed-exceptions.detailed-exceptions\",\"name\":\"ruby.rails.security.audit.detailed-exceptions.detailed-exceptions\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.detailed-exceptions.detailed-exceptions\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This call turns off CSRF protection allowing CSRF attacks against the application\"},\"help\":{\"markdown\":\"This call turns off CSRF protection allowing CSRF attacks against the application\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection)\\n - [https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#method-i-skip_forgery_protection](https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#method-i-skip_forgery_protection)\\n\",\"text\":\"This call turns off CSRF protection allowing CSRF attacks against the application\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection\",\"id\":\"ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection\",\"name\":\"ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-352: Cross-Site Request Forgery (CSRF)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params(\u0027SELECT $1 AS a, $2 AS b, $3 AS c\u0027, [1, 2, nil])` And you can use prepared statements with `exec_prepared`.\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params(\u0027SELECT $1 AS a, $2 AS b, $3 AS c\u0027, [1, 2, nil])` And you can use prepared statements with `exec_prepared`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli)\\n - [https://www.rubydoc.info/gems/pg/PG/Connection](https://www.rubydoc.info/gems/pg/PG/Connection)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params(\u0027SELECT $1 AS a, $2 AS b, $3 AS c\u0027, [1, 2, nil])` And you can use prepared statements with `exec_prepared`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli\",\"id\":\"ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli\",\"name\":\"ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027content_tag()\u0027 bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use \u0027html_safe\u0027. Ensure no external data enters the HTML-safe string!\"},\"help\":{\"markdown\":\"\u0027content_tag()\u0027 bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use \u0027html_safe\u0027. Ensure no external data enters the HTML-safe string!\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag)\\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown)\\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\\n\",\"text\":\"\u0027content_tag()\u0027 bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use \u0027html_safe\u0027. Ensure no external data enters the HTML-safe string!\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag\",\"id\":\"ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag\",\"name\":\"ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn\u0027t mean to. Instead, remove this line and explicitly include all routes you intend external users to follow.\"},\"help\":{\"markdown\":\"Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn\u0027t mean to. Instead, remove this line and explicitly include all routes you intend external users to follow.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes)\\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown)\\n\",\"text\":\"Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn\u0027t mean to. Instead, remove this line and explicitly include all routes you intend external users to follow.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes\",\"id\":\"ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes\",\"name\":\"ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-276: Incorrect Default Permissions\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027html_safe()\u0027 does not make the supplied string safe. \u0027html_safe()\u0027 bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here.\"},\"help\":{\"markdown\":\"\u0027html_safe()\u0027 does not make the supplied string safe. \u0027html_safe()\u0027 bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe)\\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown)\\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\\n\",\"text\":\"\u0027html_safe()\u0027 does not make the supplied string safe. \u0027html_safe()\u0027 bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe\",\"id\":\"ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe\",\"name\":\"ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument.\"},\"help\":{\"markdown\":\"This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to)\\n - [https://brakemanscanner.org/docs/warning_types/link_to/](https://brakemanscanner.org/docs/warning_types/link_to/)\\n - [https://brakemanscanner.org/docs/warning_types/link_to_href/](https://brakemanscanner.org/docs/warning_types/link_to_href/)\\n\",\"text\":\"This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to\",\"id\":\"ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to\",\"name\":\"ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027raw()\u0027 bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. If you must do this, construct individual strings and mark them as safe for HTML rendering with `html_safe()`.\"},\"help\":{\"markdown\":\"\u0027raw()\u0027 bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. If you must do this, construct individual strings and mark them as safe for HTML rendering with `html_safe()`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-raw.avoid-raw)\\n - [https://api.rubyonrails.org/classes/ActionView/Helpers/OutputSafetyHelper.html#method-i-raw](https://api.rubyonrails.org/classes/ActionView/Helpers/OutputSafetyHelper.html#method-i-raw)\\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\\n\",\"text\":\"\u0027raw()\u0027 bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. If you must do this, construct individual strings and mark them as safe for HTML rendering with `html_safe()`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-raw.avoid-raw\",\"id\":\"ruby.rails.security.audit.xss.avoid-raw.avoid-raw\",\"name\":\"ruby.rails.security.audit.xss.avoid-raw.avoid-raw\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.xss.avoid-raw.avoid-raw\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"When a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect.\"},\"help\":{\"markdown\":\"When a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect)\\n - [https://brakemanscanner.org/docs/warning_types/redirect/](https://brakemanscanner.org/docs/warning_types/redirect/)\\n\",\"text\":\"When a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect\",\"id\":\"ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect\",\"name\":\"ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn\u0027t. To prevent this, check dynamic template paths against a predefined allowlist to make sure it\u0027s an allowed template.\"},\"help\":{\"markdown\":\"Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn\u0027t. To prevent this, check dynamic template paths against a predefined allowlist to make sure it\u0027s an allowed template.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path)\\n - [https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/](https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/)\\n\",\"text\":\"Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn\u0027t. To prevent this, check dynamic template paths against a predefined allowlist to make sure it\u0027s an allowed template.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path\",\"id\":\"ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path\",\"name\":\"ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027render inline: ...\u0027 renders an entire ERB template inline and is dangerous. If external data can reach here, this exposes your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks. Instead, consider using a partial or another safe rendering method.\"},\"help\":{\"markdown\":\"\u0027render inline: ...\u0027 renders an entire ERB template inline and is dangerous. If external data can reach here, this exposes your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks. Instead, consider using a partial or another safe rendering method.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline)\\n - [https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss](https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss)\\n\",\"text\":\"\u0027render inline: ...\u0027 renders an entire ERB template inline and is dangerous. If external data can reach here, this exposes your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks. Instead, consider using a partial or another safe rendering method.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline\",\"id\":\"ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline\",\"name\":\"ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027render text: ...\u0027 actually sets the content-type to \u0027text/html\u0027. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use \u0027render plain: ...\u0027 to render non-HTML text.\"},\"help\":{\"markdown\":\"\u0027render text: ...\u0027 actually sets the content-type to \u0027text/html\u0027. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use \u0027render plain: ...\u0027 to render non-HTML text.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text)\\n - [https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss](https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss)\\n\",\"text\":\"\u0027render text: ...\u0027 actually sets the content-type to \u0027text/html\u0027. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use \u0027render plain: ...\u0027 to render non-HTML text.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text\",\"id\":\"ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text\",\"name\":\"ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template. Instead, create a \u0027.erb\u0027 template file and use \u0027render\u0027.\"},\"help\":{\"markdown\":\"Detected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template. Instead, create a \u0027.erb\u0027 template file and use \u0027render\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation)\\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown)\\n\",\"text\":\"Detected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template. Instead, create a \u0027.erb\u0027 template file and use \u0027render\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation\",\"id\":\"ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation\",\"name\":\"ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The syntax `\u003c%== ... %\u003e` is an alias for `html_safe`. This means the content inside these tags will be rendered as raw HTML. This may expose your application to cross-site scripting. If you need raw HTML, prefer using the more explicit `html_safe` and be sure to correctly sanitize variables using a library such as DOMPurify.\"},\"help\":{\"markdown\":\"The syntax `\u003c%== ... %\u003e` is an alias for `html_safe`. This means the content inside these tags will be rendered as raw HTML. This may expose your application to cross-site scripting. If you need raw HTML, prefer using the more explicit `html_safe` and be sure to correctly sanitize variables using a library such as DOMPurify.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe)\\n - [https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027](https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027)\\n - [https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===](https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===)\\n\",\"text\":\"The syntax `\u003c%== ... %\u003e` is an alias for `html_safe`. This means the content inside these tags will be rendered as raw HTML. This may expose your application to cross-site scripting. If you need raw HTML, prefer using the more explicit `html_safe` and be sure to correctly sanitize variables using a library such as DOMPurify.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe\",\"id\":\"ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe\",\"name\":\"ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027content_tag\u0027 exhibits unintuitive escaping behavior and may accidentally expose your application to cross-site scripting. If using Rails 2, only attribute values are escaped. If using Rails 3, content and attribute values are escaped. Tag and attribute names are never escaped. Because of this, it is recommended to use \u0027html_safe\u0027 if you must render raw HTML data.\"},\"help\":{\"markdown\":\"\u0027content_tag\u0027 exhibits unintuitive escaping behavior and may accidentally expose your application to cross-site scripting. If using Rails 2, only attribute values are escaped. If using Rails 3, content and attribute values are escaped. Tag and attribute names are never escaped. Because of this, it is recommended to use \u0027html_safe\u0027 if you must render raw HTML data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag)\\n - [https://brakemanscanner.org/docs/warning_types/content_tag/](https://brakemanscanner.org/docs/warning_types/content_tag/)\\n\",\"text\":\"\u0027content_tag\u0027 exhibits unintuitive escaping behavior and may accidentally expose your application to cross-site scripting. If using Rails 2, only attribute values are escaped. If using Rails 3, content and attribute values are escaped. Tag and attribute names are never escaped. Because of this, it is recommended to use \u0027html_safe\u0027 if you must render raw HTML data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag\",\"id\":\"ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag\",\"name\":\"ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027html_safe\u0027 renders raw HTML. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\"},\"help\":{\"markdown\":\"\u0027html_safe\u0027 renders raw HTML. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe)\\n - [https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===](https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===)\\n - [https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027](https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027)\\n\",\"text\":\"\u0027html_safe\u0027 renders raw HTML. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe\",\"id\":\"ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe\",\"name\":\"ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027raw\u0027 renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\"},\"help\":{\"markdown\":\"\u0027raw\u0027 renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw)\\n - [https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===](https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===)\\n - [https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027](https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027)\\n\",\"text\":\"\u0027raw\u0027 renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw\",\"id\":\"ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw\",\"name\":\"ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \\\"\u003c%= expr %\u003e\\\".\"},\"help\":{\"markdown\":\"Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \\\"\u003c%= expr %\u003e\\\".\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute)\\n - [https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#unquoted-attributes](https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#unquoted-attributes)\\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss)\\n\",\"text\":\"Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \\\"\u003c%= expr %\u003e\\\".\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute\",\"id\":\"ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute\",\"name\":\"ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href=\u0027/\u003c%= link =\u003e\u0027. You may also consider setting the Content Security Policy (CSP) header.\"},\"help\":{\"markdown\":\"Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href=\u0027/\u003c%= link =\u003e\u0027. You may also consider setting the Content Security Policy (CSP) header.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href)\\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI)\\n - [https://github.com/pugjs/pug/issues/2952](https://github.com/pugjs/pug/issues/2952)\\n\",\"text\":\"Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href=\u0027/\u003c%= link =\u003e\u0027. You may also consider setting the Content Security Policy (CSP) header.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href\",\"id\":\"ruby.rails.security.audit.xss.templates.var-in-href.var-in-href\",\"name\":\"ruby.rails.security.audit.xss.templates.var-in-href.var-in-href\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-href.var-in-href\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag).\"},\"help\":{\"markdown\":\"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag)\\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\\n - [https://www.youtube.com/watch?v=yYTkLUEdIyE](https://www.youtube.com/watch?v=yYTkLUEdIyE)\\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\\n\",\"text\":\"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag\",\"id\":\"ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag\",\"name\":\"ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path =\u003e true` hash value.\"},\"help\":{\"markdown\":\"Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path =\u003e true` hash value.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\\n\",\"text\":\"Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path =\u003e true` hash value.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to\",\"id\":\"ruby.rails.security.brakeman.check-redirect-to.check-redirect-to\",\"name\":\"ruby.rails.security.brakeman.check-redirect-to.check-redirect-to\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.brakeman.check-redirect-to.check-redirect-to\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.\"},\"help\":{\"markdown\":\"Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos)\\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\\n\",\"text\":\"Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos\",\"id\":\"ruby.rails.security.brakeman.check-regex-dos.check-regex-dos\",\"name\":\"ruby.rails.security.brakeman.check-regex-dos.check-regex-dos\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1333: Inefficient Regular Expression Complexity\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.brakeman.check-regex-dos.check-regex-dos\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found request parameters in a call to `render`. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for `render`. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with `File.basename(...)`.\"},\"help\":{\"markdown\":\"Found request parameters in a call to `render`. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for `render`. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with `File.basename(...)`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include)\\n - [https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion)\\n - [https://github.com/presidentbeef/brakeman/blob/f74cb53/test/apps/rails2/app/controllers/home_controller.rb#L48-L60](https://github.com/presidentbeef/brakeman/blob/f74cb53/test/apps/rails2/app/controllers/home_controller.rb#L48-L60)\\n\",\"text\":\"Found request parameters in a call to `render`. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for `render`. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with `File.basename(...)`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include\",\"id\":\"ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include\",\"name\":\"ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`\"},\"help\":{\"markdown\":\"Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file)\\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\\n\",\"text\":\"Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file\",\"id\":\"ruby.rails.security.brakeman.check-send-file.check-send-file\",\"name\":\"ruby.rails.security.brakeman.check-send-file.check-send-file\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-73: External Control of File Name or Path\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.brakeman.check-send-file.check-send-file\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries.\"},\"help\":{\"markdown\":\"Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-sql.check-sql)\\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/models/product.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/models/product.rb)\\n\",\"text\":\"Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.brakeman.check-sql.check-sql\",\"id\":\"ruby.rails.security.brakeman.check-sql.check-sql\",\"name\":\"ruby.rails.security.brakeman.check-sql.check-sql\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.brakeman.check-sql.check-sql\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`\"},\"help\":{\"markdown\":\"Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods)\\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb)\\n\",\"text\":\"Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods\",\"id\":\"ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods\",\"name\":\"ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.\"},\"help\":{\"markdown\":\"Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection)\\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails2/app/controllers/application_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails2/app/controllers/application_controller.rb)\\n\",\"text\":\"Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection\",\"id\":\"ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection\",\"name\":\"ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found an unscoped `find(...)` with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. `current_user.accounts.find(params[:id])`.\"},\"help\":{\"markdown\":\"Found an unscoped `find(...)` with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. `current_user.accounts.find(params[:id])`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find)\\n - [https://brakemanscanner.org/docs/warning_types/unscoped_find/](https://brakemanscanner.org/docs/warning_types/unscoped_find/)\\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/controllers/users_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/controllers/users_controller.rb)\\n\",\"text\":\"Found an unscoped `find(...)` with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. `current_user.accounts.find(params[:id])`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find\",\"id\":\"ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find\",\"name\":\"ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-639: Authorization Bypass Through User-Controlled Key\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`.\"},\"help\":{\"markdown\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.injection.raw-html-format.raw-html-format)\\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\\n - [https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html](https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html)\\n\",\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.injection.raw-html-format.raw-html-format\",\"id\":\"ruby.rails.security.injection.raw-html-format.raw-html-format\",\"name\":\"ruby.rails.security.injection.raw-html-format.raw-html-format\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.injection.raw-html-format.raw-html-format\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries.\"},\"help\":{\"markdown\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.injection.tainted-sql-string.tainted-sql-string)\\n - [https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet](https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet)\\n\",\"text\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.injection.tainted-sql-string.tainted-sql-string\",\"id\":\"ruby.rails.security.injection.tainted-sql-string.tainted-sql-string\",\"name\":\"ruby.rails.security.injection.tainted-sql-string.tainted-sql-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.injection.tainted-sql-string.tainted-sql-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts.\"},\"help\":{\"markdown\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.injection.tainted-url-host.tainted-url-host)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n - [https://github.com/arkadiyt/ssrf_filter](https://github.com/arkadiyt/ssrf_filter)\\n\",\"text\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ruby.rails.security.injection.tainted-url-host.tainted-url-host\",\"id\":\"ruby.rails.security.injection.tainted-url-host.tainted-url-host\",\"name\":\"ruby.rails.security.injection.tainted-url-host.tainted-url-host\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ruby.rails.security.injection.tainted-url-host.tainted-url-host\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Dangerously accepting invalid TLS information\"},\"help\":{\"markdown\":\"Dangerously accepting invalid TLS information\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid)\\n - [https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames](https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames)\\n - [https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs](https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs)\\n\",\"text\":\"Dangerously accepting invalid TLS information\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid\",\"id\":\"rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid\",\"name\":\"rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-295: Improper Certificate Validation\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Dangerous client config used, ensure SSL verification\"},\"help\":{\"markdown\":\"Dangerous client config used, ensure SSL verification\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous)\\n - [https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html](https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html)\\n - [https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous](https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous)\\n\",\"text\":\"Dangerous client config used, ensure SSL verification\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous\",\"id\":\"rust.lang.security.rustls-dangerous.rustls-dangerous\",\"name\":\"rust.lang.security.rustls-dangerous.rustls-dangerous\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-295: Improper Certificate Validation\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: rust.lang.security.rustls-dangerous.rustls-dangerous\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"SSL verification disabled, this allows for MitM attacks\"},\"help\":{\"markdown\":\"SSL verification disabled, this allows for MitM attacks\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none)\\n - [https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify](https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify)\\n\",\"text\":\"SSL verification disabled, this allows for MitM attacks\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none\",\"id\":\"rust.lang.security.ssl-verify-none.ssl-verify-none\",\"name\":\"rust.lang.security.ssl-verify-none.ssl-verify-none\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-295: Improper Certificate Validation\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: rust.lang.security.ssl-verify-none.ssl-verify-none\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\"},\"help\":{\"markdown\":\"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode)\\n - [https://jwt-scala.github.io/jwt-scala/](https://jwt-scala.github.io/jwt-scala/)\\n\",\"text\":\"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode\",\"id\":\"scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode\",\"name\":\"scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"HIGH CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\"},\"help\":{\"markdown\":\"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run\",\"id\":\"scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run\",\"name\":\"scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\"},\"help\":{\"markdown\":\"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run\",\"id\":\"scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run\",\"name\":\"scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\"},\"help\":{\"markdown\":\"A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n - [https://dispatchhttp.org/Dispatch.html](https://dispatchhttp.org/Dispatch.html)\\n\",\"text\":\"A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf\",\"id\":\"scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf\",\"name\":\"scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\"},\"help\":{\"markdown\":\"Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled)\\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\\n\",\"text\":\"Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled\",\"id\":\"scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled\",\"name\":\"scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Flags the use of a predictable random value from `scala.util.Random`. This can lead to vulnerabilities when used in security contexts, such as in a CSRF token, password reset token, or any other secret value. To fix this, use java.security.SecureRandom instead.\"},\"help\":{\"markdown\":\"Flags the use of a predictable random value from `scala.util.Random`. This can lead to vulnerabilities when used in security contexts, such as in a CSRF token, password reset token, or any other secret value. To fix this, use java.security.SecureRandom instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.insecure-random.insecure-random)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Flags the use of a predictable random value from `scala.util.Random`. This can lead to vulnerabilities when used in security contexts, such as in a CSRF token, password reset token, or any other secret value. To fix this, use java.security.SecureRandom instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.lang.security.audit.insecure-random.insecure-random\",\"id\":\"scala.lang.security.audit.insecure-random.insecure-random\",\"name\":\"scala.lang.security.audit.insecure-random.insecure-random\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-330: Use of Insufficiently Random Values\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.lang.security.audit.insecure-random.insecure-random\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A parameter being passed directly into `fromURL` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\"},\"help\":{\"markdown\":\"A parameter being passed directly into `fromURL` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.io-source-ssrf.io-source-ssrf)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n - [https://www.scala-lang.org/api/current/scala/io/Source$.html#fromURL(url:java.net.URL)(implicitcodec:scala.io.Codec):scala.io.BufferedSource](https://www.scala-lang.org/api/current/scala/io/Source$.html#fromURL(url:java.net.URL)(implicitcodec:scala.io.Codec):scala.io.BufferedSource)\\n\",\"text\":\"A parameter being passed directly into `fromURL` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.lang.security.audit.io-source-ssrf.io-source-ssrf\",\"id\":\"scala.lang.security.audit.io-source-ssrf.io-source-ssrf\",\"name\":\"scala.lang.security.audit.io-source-ssrf.io-source-ssrf\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.lang.security.audit.io-source-ssrf.io-source-ssrf\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Flags cases of possible path traversal. If an unfiltered parameter is passed into \u0027fromFile\u0027, file from an arbitrary filesystem location could be read. This could lead to sensitive data exposure and other provles. Instead, sanitize the user input instead of performing direct string concatenation.\"},\"help\":{\"markdown\":\"Flags cases of possible path traversal. If an unfiltered parameter is passed into \u0027fromFile\u0027, file from an arbitrary filesystem location could be read. This could lead to sensitive data exposure and other provles. Instead, sanitize the user input instead of performing direct string concatenation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Flags cases of possible path traversal. If an unfiltered parameter is passed into \u0027fromFile\u0027, file from an arbitrary filesystem location could be read. This could lead to sensitive data exposure and other provles. Instead, sanitize the user input instead of performing direct string concatenation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile\",\"id\":\"scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile\",\"name\":\"scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with `OAEPWithMD5AndMGF1Padding` instead.\"},\"help\":{\"markdown\":\"Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with `OAEPWithMD5AndMGF1Padding` instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.rsa-padding-set.rsa-padding-set)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with `OAEPWithMD5AndMGF1Padding` instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.lang.security.audit.rsa-padding-set.rsa-padding-set\",\"id\":\"scala.lang.security.audit.rsa-padding-set.rsa-padding-set\",\"name\":\"scala.lang.security.audit.rsa-padding-set.rsa-padding-set\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-780: Use of RSA Algorithm without OAEP\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.lang.security.audit.rsa-padding-set.rsa-padding-set\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"XML processor being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\"},\"help\":{\"markdown\":\"XML processor being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled)\\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\\n\",\"text\":\"XML processor being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled\",\"id\":\"scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled\",\"name\":\"scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use `Seq(...)` for dynamically generated commands.\"},\"help\":{\"markdown\":\"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use `Seq(...)` for dynamically generated commands.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use `Seq(...)` for dynamically generated commands.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run\",\"id\":\"scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run\",\"name\":\"scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Scala applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration.\"},\"help\":{\"markdown\":\"Scala applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.scalac-debug.scalac-debug)\\n - [https://docs.scala-lang.org/overviews/compiler-options/index.html](https://docs.scala-lang.org/overviews/compiler-options/index.html)\\n\",\"text\":\"Scala applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.lang.security.audit.scalac-debug.scalac-debug\",\"id\":\"scala.lang.security.audit.scalac-debug.scalac-debug\",\"name\":\"scala.lang.security.audit.scalac-debug.scalac-debug\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-489: Active Debug Code\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.lang.security.audit.scalac-debug.scalac-debug\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A parameter being passed directly into `Http` can likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\"},\"help\":{\"markdown\":\"A parameter being passed directly into `Http` can likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n - [https://github.com/scalaj/scalaj-http#simplified-http](https://github.com/scalaj/scalaj-http#simplified-http)\\n\",\"text\":\"A parameter being passed directly into `Http` can likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf\",\"id\":\"scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf\",\"name\":\"scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\"},\"help\":{\"markdown\":\"XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled)\\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\\n\",\"text\":\"XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled\",\"id\":\"scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled\",\"name\":\"scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file.\"},\"help\":{\"markdown\":\"Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings)\\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security)\\n - [https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration](https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration)\\n\",\"text\":\"Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings\",\"id\":\"scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings\",\"name\":\"scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as Twirl which automatically escapes HTML views.\"},\"help\":{\"markdown\":\"Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as Twirl which automatically escapes HTML views.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.tainted-html-response.tainted-html-response)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as Twirl which automatically escapes HTML views.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.play.security.tainted-html-response.tainted-html-response\",\"id\":\"scala.play.security.tainted-html-response.tainted-html-response\",\"name\":\"scala.play.security.tainted-html-response.tainted-html-response\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.play.security.tainted-html-response.tainted-html-response\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input for generating SQL strings.\"},\"help\":{\"markdown\":\"Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input for generating SQL strings.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.tainted-slick-sqli.tainted-slick-sqli)\\n - [https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values](https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values)\\n - [https://scala-slick.org/doc/3.2.0/sql-to-slick.html#non-optimal-sql-code](https://scala-slick.org/doc/3.2.0/sql-to-slick.html#non-optimal-sql-code)\\n\",\"text\":\"Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input for generating SQL strings.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.play.security.tainted-slick-sqli.tainted-slick-sqli\",\"id\":\"scala.play.security.tainted-slick-sqli.tainted-slick-sqli\",\"name\":\"scala.play.security.tainted-slick-sqli.tainted-slick-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.play.security.tainted-slick-sqli.tainted-slick-sqli\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\"},\"help\":{\"markdown\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request)\\n - [https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html](https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html)\\n\",\"text\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request\",\"id\":\"scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request\",\"name\":\"scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.\"},\"help\":{\"markdown\":\"A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.webservice-ssrf.webservice-ssrf)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n - [https://www.playframework.com/documentation/2.8.x/ScalaWS](https://www.playframework.com/documentation/2.8.x/ScalaWS)\\n\",\"text\":\"A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.play.security.webservice-ssrf.webservice-ssrf\",\"id\":\"scala.play.security.webservice-ssrf.webservice-ssrf\",\"name\":\"scala.play.security.webservice-ssrf.webservice-ssrf\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.play.security.webservice-ssrf.webservice-ssrf\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\"},\"help\":{\"markdown\":\"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret\",\"id\":\"scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret\",\"name\":\"scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"HIGH CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using non literal values in `overrideSql(...)`.\"},\"help\":{\"markdown\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using non literal values in `overrideSql(...)`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using non literal values in `overrideSql(...)`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal\",\"id\":\"scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal\",\"name\":\"scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\\\"...\\\"` strings instead.\"},\"help\":{\"markdown\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\\\"...\\\"` strings instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal)\\n - [https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values](https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values)\\n\",\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\\\"...\\\"` strings instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal\",\"id\":\"scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal\",\"name\":\"scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"$VAULT.getPoolTokens() call on a Balancer pool is not protected from the read-only reentrancy.\"},\"help\":{\"markdown\":\"$VAULT.getPoolTokens() call on a Balancer pool is not protected from the read-only reentrancy.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens)\\n - [https://quillaudits.medium.com/decoding-sentiment-protocols-1-million-exploit-quillaudits-f36bee77d376](https://quillaudits.medium.com/decoding-sentiment-protocols-1-million-exploit-quillaudits-f36bee77d376)\\n - [https://hackmd.io/@sentimentxyz/SJCySo1z2](https://hackmd.io/@sentimentxyz/SJCySo1z2)\\n\",\"text\":\"$VAULT.getPoolTokens() call on a Balancer pool is not protected from the read-only reentrancy.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens\",\"id\":\"solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens\",\"name\":\"solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-841: Improper Enforcement of Behavioral Workflow\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy.\"},\"help\":{\"markdown\":\"$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate)\\n - [https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345](https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345)\\n\",\"text\":\"$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate\",\"id\":\"solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate\",\"name\":\"solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-841: Improper Enforcement of Behavioral Workflow\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Function borrowFresh() in Compound performs state update after doTransferOut()\"},\"help\":{\"markdown\":\"Function borrowFresh() in Compound performs state update after doTransferOut()\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy)\\n - [https://twitter.com/peckshield/status/1509431646818234369](https://twitter.com/peckshield/status/1509431646818234369)\\n - [https://twitter.com/blocksecteam/status/1509466576848064512](https://twitter.com/blocksecteam/status/1509466576848064512)\\n - [https://slowmist.medium.com/another-day-another-reentrancy-attack-5cde10bbb2b4](https://slowmist.medium.com/another-day-another-reentrancy-attack-5cde10bbb2b4)\\n - [https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611](https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611)\\n\",\"text\":\"Function borrowFresh() in Compound performs state update after doTransferOut()\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy\",\"id\":\"solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy\",\"name\":\"solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-841: Improper Enforcement of Behavioral Workflow\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Function sweepToken is allowed to be called by anyone\"},\"help\":{\"markdown\":\"Function sweepToken is allowed to be called by anyone\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted)\\n - [https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2](https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2)\\n - [https://chainsecurity.com/security-audit/compound-ctoken/](https://chainsecurity.com/security-audit/compound-ctoken/)\\n - [https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/](https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/)\\n - [https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f](https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f)\\n\",\"text\":\"Function sweepToken is allowed to be called by anyone\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted\",\"id\":\"solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted\",\"name\":\"solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-284: Improper Access Control\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy.\"},\"help\":{\"markdown\":\"$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy)\\n - [https://chainsecurity.com/heartbreaks-curve-lp-oracles/](https://chainsecurity.com/heartbreaks-curve-lp-oracles/)\\n - [https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/](https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/)\\n\",\"text\":\"$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy\",\"id\":\"solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy\",\"name\":\"solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-841: Improper Enforcement of Behavioral Workflow\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"abi.encodePacked hash collision with variable length arguments in $F()\"},\"help\":{\"markdown\":\"abi.encodePacked hash collision with variable length arguments in $F()\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision)\\n - [https://swcregistry.io/docs/SWC-133](https://swcregistry.io/docs/SWC-133)\\n\",\"text\":\"abi.encodePacked hash collision with variable length arguments in $F()\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision\",\"id\":\"solidity.security.encode-packed-collision.encode-packed-collision\",\"name\":\"solidity.security.encode-packed-collision.encode-packed-collision\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-20: Improper Input Validation\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.encode-packed-collision.encode-packed-collision\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"ERC677 callAfterTransfer() reentrancy\"},\"help\":{\"markdown\":\"ERC677 callAfterTransfer() reentrancy\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc677-reentrancy.erc677-reentrancy)\\n - [https://twitter.com/peckshield/status/1509431646818234369](https://twitter.com/peckshield/status/1509431646818234369)\\n - [https://twitter.com/blocksecteam/status/1509466576848064512](https://twitter.com/blocksecteam/status/1509466576848064512)\\n - [https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611](https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611)\\n - [https://explorer.fuse.io/address/0x5De15b5543c178C111915d6B8ae929Af01a8cC58](https://explorer.fuse.io/address/0x5De15b5543c178C111915d6B8ae929Af01a8cC58)\\n\",\"text\":\"ERC677 callAfterTransfer() reentrancy\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.erc677-reentrancy.erc677-reentrancy\",\"id\":\"solidity.security.erc677-reentrancy.erc677-reentrancy\",\"name\":\"solidity.security.erc677-reentrancy.erc677-reentrancy\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-841: Improper Enforcement of Behavioral Workflow\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.erc677-reentrancy.erc677-reentrancy\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Custom ERC721 implementation lacks access control checks in _transfer()\"},\"help\":{\"markdown\":\"Custom ERC721 implementation lacks access control checks in _transfer()\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom)\\n - [https://twitter.com/BlockSecAlert/status/1516289618605654024](https://twitter.com/BlockSecAlert/status/1516289618605654024)\\n - [https://etherscan.io/address/0xf3821adaceb6500c0a202971aecf840a033f236b](https://etherscan.io/address/0xf3821adaceb6500c0a202971aecf840a033f236b)\\n\",\"text\":\"Custom ERC721 implementation lacks access control checks in _transfer()\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom\",\"id\":\"solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom\",\"name\":\"solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-284: Improper Access Control\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"ERC721 onERC721Received() reentrancy\"},\"help\":{\"markdown\":\"ERC721 onERC721Received() reentrancy\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy)\\n - [https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a](https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a)\\n - [https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef](https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef)\\n\",\"text\":\"ERC721 onERC721Received() reentrancy\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy\",\"id\":\"solidity.security.erc721-reentrancy.erc721-reentrancy\",\"name\":\"solidity.security.erc721-reentrancy.erc721-reentrancy\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-841: Improper Enforcement of Behavioral Workflow\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.erc721-reentrancy.erc721-reentrancy\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"ERC777 tokensReceived() reentrancy\"},\"help\":{\"markdown\":\"ERC777 tokensReceived() reentrancy\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy)\\n - [https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0](https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0)\\n - [https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f](https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f)\\n\",\"text\":\"ERC777 tokensReceived() reentrancy\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy\",\"id\":\"solidity.security.erc777-reentrancy.erc777-reentrancy\",\"name\":\"solidity.security.erc777-reentrancy.erc777-reentrancy\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-841: Improper Enforcement of Behavioral Workflow\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.erc777-reentrancy.erc777-reentrancy\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"blockhash(block.number) and blockhash(block.number + N) always returns 0.\"},\"help\":{\"markdown\":\"blockhash(block.number) and blockhash(block.number + N) always returns 0.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash)\\n - [https://blog.positive.com/predicting-random-numbers-in-ethereum-smart-contracts-e5358c6b8620](https://blog.positive.com/predicting-random-numbers-in-ethereum-smart-contracts-e5358c6b8620)\\n\",\"text\":\"blockhash(block.number) and blockhash(block.number + N) always returns 0.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash\",\"id\":\"solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash\",\"name\":\"solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-341: Predictable from Observable State\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Keep3rV2.current() call has high data freshness, but it has low security, an exploiter simply needs to manipulate 2 data points to be able to impact the feed.\"},\"help\":{\"markdown\":\"Keep3rV2.current() call has high data freshness, but it has low security, an exploiter simply needs to manipulate 2 data points to be able to impact the feed.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation)\\n - [https://twitter.com/peckshield/status/1510232640338608131](https://twitter.com/peckshield/status/1510232640338608131)\\n - [https://twitter.com/FrankResearcher/status/1510239094777032713](https://twitter.com/FrankResearcher/status/1510239094777032713)\\n - [https://twitter.com/larry0x/status/1510263618180464644](https://twitter.com/larry0x/status/1510263618180464644)\\n - [https://andrecronje.medium.com/keep3r-network-on-chain-oracle-price-feeds-3c67ed002a9](https://andrecronje.medium.com/keep3r-network-on-chain-oracle-price-feeds-3c67ed002a9)\\n - [https://etherscan.io/address/0x210ac53b27f16e20a9aa7d16260f84693390258f](https://etherscan.io/address/0x210ac53b27f16e20a9aa7d16260f84693390258f)\\n\",\"text\":\"Keep3rV2.current() call has high data freshness, but it has low security, an exploiter simply needs to manipulate 2 data points to be able to impact the feed.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation\",\"id\":\"solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation\",\"name\":\"solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-682: Incorrect Calculation\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Missing check for \u0027from\u0027 and \u0027to\u0027 being the same before updating balances could lead to incorrect balance manipulation on self-transfers. Include a check to ensure \u0027from\u0027 and \u0027to\u0027 are not the same before updating balances to prevent balance manipulation during self-transfers.\"},\"help\":{\"markdown\":\"Missing check for \u0027from\u0027 and \u0027to\u0027 being the same before updating balances could lead to incorrect balance manipulation on self-transfers. Include a check to ensure \u0027from\u0027 and \u0027to\u0027 are not the same before updating balances to prevent balance manipulation during self-transfers.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx)\\n - [https://blog.verichains.io/p/miner-project-attacked-by-vulnerabilities](https://blog.verichains.io/p/miner-project-attacked-by-vulnerabilities)\\n - [https://x.com/shoucccc/status/1757777764646859121](https://x.com/shoucccc/status/1757777764646859121)\\n\",\"text\":\"Missing check for \u0027from\u0027 and \u0027to\u0027 being the same before updating balances could lead to incorrect balance manipulation on self-transfers. Include a check to ensure \u0027from\u0027 and \u0027to\u0027 are not the same before updating balances to prevent balance manipulation during self-transfers.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx\",\"id\":\"solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx\",\"name\":\"solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-682: Incorrect Calculation\",\"HIGH CONFIDENCE\",\"OWASP-A7:2021 Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The code must not contain any of Unicode Direction Control Characters\"},\"help\":{\"markdown\":\"The code must not contain any of Unicode Direction Control Characters\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters)\\n - [https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo](https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo)\\n\",\"text\":\"The code must not contain any of Unicode Direction Control Characters\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters\",\"id\":\"solidity.security.no-bidi-characters.no-bidi-characters\",\"name\":\"solidity.security.no-bidi-characters.no-bidi-characters\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-837: Improper Enforcement of a Single, Unique Action\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.no-bidi-characters.no-bidi-characters\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"No slippage check in a Uniswap v2/v3 trade\"},\"help\":{\"markdown\":\"No slippage check in a Uniswap v2/v3 trade\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.no-slippage-check.no-slippage-check)\\n - [https://uniswapv3book.com/docs/milestone_3/slippage-protection/](https://uniswapv3book.com/docs/milestone_3/slippage-protection/)\\n\",\"text\":\"No slippage check in a Uniswap v2/v3 trade\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.no-slippage-check.no-slippage-check\",\"id\":\"solidity.security.no-slippage-check.no-slippage-check\",\"name\":\"solidity.security.no-slippage-check.no-slippage-check\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-682: Incorrect Calculation\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.no-slippage-check.no-slippage-check\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Proxy declares a state var that may override a storage slot of the implementation\"},\"help\":{\"markdown\":\"Proxy declares a state var that may override a storage slot of the implementation\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.proxy-storage-collision.proxy-storage-collision)\\n - [https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22](https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22)\\n\",\"text\":\"Proxy declares a state var that may override a storage slot of the implementation\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.proxy-storage-collision.proxy-storage-collision\",\"id\":\"solidity.security.proxy-storage-collision.proxy-storage-collision\",\"name\":\"solidity.security.proxy-storage-collision.proxy-storage-collision\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-787: Out-of-bounds Write\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.proxy-storage-collision.proxy-storage-collision\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"transferFrom() can steal allowance of other accounts\"},\"help\":{\"markdown\":\"transferFrom() can steal allowance of other accounts\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug)\\n - [https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5](https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5)\\n - [https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C](https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C)\\n\",\"text\":\"transferFrom() can steal allowance of other accounts\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug\",\"id\":\"solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug\",\"name\":\"solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-688: Function Call With Incorrect Variable or Reference as Argument\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"setMultipleAllowances() is missing onlyOwner modifier\"},\"help\":{\"markdown\":\"setMultipleAllowances() is missing onlyOwner modifier\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control)\\n - [https://twitter.com/danielvf/status/1494317265835147272](https://twitter.com/danielvf/status/1494317265835147272)\\n - [https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8](https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8)\\n - [https://play.secdim.com/game/dapp/challenge/rigoownsol](https://play.secdim.com/game/dapp/challenge/rigoownsol)\\n\",\"text\":\"setMultipleAllowances() is missing onlyOwner modifier\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control\",\"id\":\"solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control\",\"name\":\"solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-284: Improper Access Control\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Oracle update is not restricted in $F()\"},\"help\":{\"markdown\":\"Oracle update is not restricted in $F()\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control)\\n - [https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0](https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0)\\n\",\"text\":\"Oracle update is not restricted in $F()\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control\",\"id\":\"solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control\",\"name\":\"solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-284: Improper Access Control\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"A specially crafted calldata may be used to impersonate other accounts\"},\"help\":{\"markdown\":\"A specially crafted calldata may be used to impersonate other accounts\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection)\\n - [https://rekt.news/superfluid-rekt/](https://rekt.news/superfluid-rekt/)\\n - [https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd](https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd)\\n - [https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7](https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7)\\n\",\"text\":\"A specially crafted calldata may be used to impersonate other accounts\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection\",\"id\":\"solidity.security.superfluid-ctx-injection.superfluid-ctx-injection\",\"name\":\"solidity.security.superfluid-ctx-injection.superfluid-ctx-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-20: Improper Input Validation\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.superfluid-ctx-injection.superfluid-ctx-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Parameter \\\"from\\\" is checked at incorrect position in \\\"_allowances\\\" mapping\"},\"help\":{\"markdown\":\"Parameter \\\"from\\\" is checked at incorrect position in \\\"_allowances\\\" mapping\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug)\\n - [https://twitter.com/Mauricio_0218/status/1490082073096462340](https://twitter.com/Mauricio_0218/status/1490082073096462340)\\n - [https://etherscan.io/address/0xe38b72d6595fd3885d1d2f770aa23e94757f91a1](https://etherscan.io/address/0xe38b72d6595fd3885d1d2f770aa23e94757f91a1)\\n\",\"text\":\"Parameter \\\"from\\\" is checked at incorrect position in \\\"_allowances\\\" mapping\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug\",\"id\":\"solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug\",\"name\":\"solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-688: Function Call With Incorrect Variable or Reference as Argument\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Potentially sensitive data was observed to be stored in UserDefaults, which is not adequate protection of sensitive information. For data of a sensitive nature, applications should leverage the Keychain.\"},\"help\":{\"markdown\":\"Potentially sensitive data was observed to be stored in UserDefaults, which is not adequate protection of sensitive information. For data of a sensitive nature, applications should leverage the Keychain.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults)\\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\\n - [https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/](https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/)\\n\",\"text\":\"Potentially sensitive data was observed to be stored in UserDefaults, which is not adequate protection of sensitive information. For data of a sensitive nature, applications should leverage the Keychain.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults\",\"id\":\"swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults\",\"name\":\"swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-311: Missing Encryption of Sensitive Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Webviews were observed that explictly allow JavaScript in an WKWebview to open windows automatically. Consider disabling this functionality if not required, following the principle of least privelege.\"},\"help\":{\"markdown\":\"Webviews were observed that explictly allow JavaScript in an WKWebview to open windows automatically. Consider disabling this functionality if not required, following the principle of least privelege.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows)\\n - [https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/](https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/)\\n - [https://developer.apple.com/documentation/webkit/wkpreferences/1536573-javascriptcanopenwindowsautomati](https://developer.apple.com/documentation/webkit/wkpreferences/1536573-javascriptcanopenwindowsautomati)\\n\",\"text\":\"Webviews were observed that explictly allow JavaScript in an WKWebview to open windows automatically. Consider disabling this functionality if not required, following the principle of least privelege.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows\",\"id\":\"swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows\",\"name\":\"swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-272: Least Privilege Violation\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The AWS Athena Work Group is unencrypted. The AWS KMS encryption key protects backups in the work group. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\"},\"help\":{\"markdown\":\"The AWS Athena Work Group is unencrypted. The AWS KMS encryption key protects backups in the work group. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"The AWS Athena Work Group is unencrypted. The AWS KMS encryption key protects backups in the work group. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted\",\"id\":\"terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted\",\"name\":\"terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-311: Missing Encryption of Sensitive Data\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The AWS Backup vault is unencrypted. The AWS KMS encryption key protects backups in the Backup vault. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\"},\"help\":{\"markdown\":\"The AWS Backup vault is unencrypted. The AWS KMS encryption key protects backups in the Backup vault. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"The AWS Backup vault is unencrypted. The AWS KMS encryption key protects backups in the Backup vault. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted\",\"id\":\"terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted\",\"name\":\"terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `\\\"TLSv1.2_2018\\\", \\\"TLSv1.2_2019\\\" or \\\"TLSv1.2_2021\\\"`.\"},\"help\":{\"markdown\":\"Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `\\\"TLSv1.2_2018\\\", \\\"TLSv1.2_2019\\\" or \\\"TLSv1.2_2021\\\"`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `\\\"TLSv1.2_2018\\\", \\\"TLSv1.2_2019\\\" or \\\"TLSv1.2_2021\\\"`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version\",\"id\":\"terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version\",\"name\":\"terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\"},\"help\":{\"markdown\":\"Ensure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Ensure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk\",\"id\":\"terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk\",\"name\":\"terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.\"},\"help\":{\"markdown\":\"The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention\",\"id\":\"terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention\",\"name\":\"terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"By default, AWS CloudWatch Log Group is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your log group in CloudWatch. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\"},\"help\":{\"markdown\":\"By default, AWS CloudWatch Log Group is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your log group in CloudWatch. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted)\\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\\n\",\"text\":\"By default, AWS CloudWatch Log Group is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your log group in CloudWatch. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted\",\"id\":\"terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted\",\"name\":\"terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-732: Incorrect Permission Assignment for Critical Resource\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The AWS CodeBuild Project Artifacts are unencrypted. The AWS KMS encryption key protects artifacts in the CodeBuild Projects. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\"},\"help\":{\"markdown\":\"The AWS CodeBuild Project Artifacts are unencrypted. The AWS KMS encryption key protects artifacts in the CodeBuild Projects. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"The AWS CodeBuild Project Artifacts are unencrypted. The AWS KMS encryption key protects artifacts in the CodeBuild Projects. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted\",\"id\":\"terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted\",\"name\":\"terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\"},\"help\":{\"markdown\":\"The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted\",\"id\":\"terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted\",\"name\":\"terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.\"},\"help\":{\"markdown\":\"The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions)\\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\\n\",\"text\":\"The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions\",\"id\":\"terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions\",\"name\":\"terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-778: Insufficient Logging\",\"HIGH CONFIDENCE\",\"OWASP-A09:2021 - Security Logging and Monitoring Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Database instance has no logging. Missing logs can cause missing important event information.\"},\"help\":{\"markdown\":\"Database instance has no logging. Missing logs can cause missing important event information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Database instance has no logging. Missing logs can cause missing important event information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging\",\"id\":\"terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging\",\"name\":\"terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-311: Missing Encryption of Sensitive Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\"},\"help\":{\"markdown\":\"Ensure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Ensure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk\",\"id\":\"terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk\",\"name\":\"terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.\"},\"help\":{\"markdown\":\"Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports)\\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\\n\",\"text\":\"Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled\",\"id\":\"terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled\",\"name\":\"terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-778: Insufficient Logging\",\"MEDIUM CONFIDENCE\",\"OWASP-A09:2021 - Security Logging and Monitoring Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\"},\"help\":{\"markdown\":\"By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted\",\"id\":\"terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted\",\"name\":\"terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\"},\"help\":{\"markdown\":\"Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk\",\"id\":\"terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk\",\"name\":\"terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.\"},\"help\":{\"markdown\":\"The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted\",\"id\":\"terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted\",\"name\":\"terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\"},\"help\":{\"markdown\":\"Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk\",\"id\":\"terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk\",\"name\":\"terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.\"},\"help\":{\"markdown\":\"The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted)\\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html)\\n\",\"text\":\"The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted\",\"id\":\"terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted\",\"name\":\"terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-311: Missing Encryption of Sensitive Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\\\"false\\\"`.\"},\"help\":{\"markdown\":\"EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\\\"false\\\"`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\\\"false\\\"`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip\",\"id\":\"terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip\",\"name\":\"terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1220: Insufficient Granularity of Access Control\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2.\"},\"help\":{\"markdown\":\"The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata_options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata_options)\\n - [https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service](https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service)\\n\",\"text\":\"The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled\",\"id\":\"terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled\",\"name\":\"terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1390: Weak Authentication\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting `image_tag_mutability` to IMMUTABLE.\"},\"help\":{\"markdown\":\"The ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting `image_tag_mutability` to IMMUTABLE.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_tag_mutability](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_tag_mutability)\\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/)\\n\",\"text\":\"The ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting `image_tag_mutability` to IMMUTABLE.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags\",\"id\":\"terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags\",\"name\":\"terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-345: Insufficient Verification of Data Authenticity\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.\"},\"help\":{\"markdown\":\"Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy)\\n - [https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html](https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html)\\n - [https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html)\\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\\n\",\"text\":\"Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal\",\"id\":\"terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal\",\"name\":\"terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-732: Incorrect Permission Assignment for Critical Resource\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\"},\"help\":{\"markdown\":\"Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk\",\"id\":\"terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk\",\"name\":\"terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \\\"tls_security_policy\\\" equal to \\\"Policy-Min-TLS-1-2-2019-07\\\".\"},\"help\":{\"markdown\":\"Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \\\"tls_security_policy\\\" equal to \\\"Policy-Min-TLS-1-2-2019-07\\\".\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \\\"tls_security_policy\\\" equal to \\\"Policy-Min-TLS-1-2-2019-07\\\".\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version\",\"id\":\"terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version\",\"name\":\"terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure all Elasticsearch has node-to-node encryption enabled.\\t\"},\"help\":{\"markdown\":\"Ensure all Elasticsearch has node-to-node encryption enabled.\\t\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Ensure all Elasticsearch has node-to-node encryption enabled.\\t\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled\",\"id\":\"terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled\",\"name\":\"terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"ELB has no logging. Missing logs can cause missing important event information.\"},\"help\":{\"markdown\":\"ELB has no logging. Missing logs can cause missing important event information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"ELB has no logging. Missing logs can cause missing important event information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled\",\"id\":\"terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled\",\"name\":\"terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\"},\"help\":{\"markdown\":\"Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk\",\"id\":\"terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk\",\"name\":\"terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\"},\"help\":{\"markdown\":\"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk\",\"id\":\"terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk\",\"name\":\"terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\"},\"help\":{\"markdown\":\"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk\",\"id\":\"terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk\",\"name\":\"terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-311: Missing Encryption of Sensitive Data\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\"},\"help\":{\"markdown\":\"Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk\",\"id\":\"terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk\",\"name\":\"terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure FSX Windows file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\"},\"help\":{\"markdown\":\"Ensure FSX Windows file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Ensure FSX Windows file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk\",\"id\":\"terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk\",\"name\":\"terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:\u003cidentity\u003e`.\"},\"help\":{\"markdown\":\"Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:\u003cidentity\u003e`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal)\\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\\n\",\"text\":\"Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:\u003cidentity\u003e`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal\",\"id\":\"terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal\",\"name\":\"terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-732: Incorrect Permission Assignment for Critical Resource\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\"},\"help\":{\"markdown\":\"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin)\\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\\n\",\"text\":\"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin\",\"id\":\"terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin\",\"name\":\"terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-732: Incorrect Permission Assignment for Critical Resource\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\"},\"help\":{\"markdown\":\"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy)\\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\\n\",\"text\":\"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy\",\"id\":\"terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy\",\"name\":\"terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-732: Incorrect Permission Assignment for Critical Resource\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure ImageBuilder component is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\"},\"help\":{\"markdown\":\"Ensure ImageBuilder component is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Ensure ImageBuilder component is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk\",\"id\":\"terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk\",\"name\":\"terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\\\"true\\\"`.\"},\"help\":{\"markdown\":\"Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\\\"true\\\"`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\\\"true\\\"`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration\",\"id\":\"terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration\",\"name\":\"terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\"},\"help\":{\"markdown\":\"Ensure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Ensure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk\",\"id\":\"terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk\",\"name\":\"terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.\"},\"help\":{\"markdown\":\"The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type)\\n - [https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html](https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html)\\n\",\"text\":\"The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted\",\"id\":\"terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted\",\"name\":\"terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-311: Missing Encryption of Sensitive Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\"},\"help\":{\"markdown\":\"Ensure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Ensure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk\",\"id\":\"terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk\",\"name\":\"terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege.\"},\"help\":{\"markdown\":\"Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal)\\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\\n\",\"text\":\"Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal\",\"id\":\"terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal\",\"name\":\"terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-732: Incorrect Permission Assignment for Critical Resource\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`.\"},\"help\":{\"markdown\":\"The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation\",\"id\":\"terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation\",\"name\":\"terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\"},\"help\":{\"markdown\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\\n\",\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials\",\"id\":\"terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials\",\"name\":\"terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\"},\"help\":{\"markdown\":\"By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted\",\"id\":\"terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted\",\"name\":\"terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The AWS Lambda permission has an AWS service principal but does not specify a source ARN. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. Set the source_arn value to the ARN of the AWS resource that invokes the function, eg. an S3 bucket, CloudWatch Events Rule, API Gateway, or SNS topic.\"},\"help\":{\"markdown\":\"The AWS Lambda permission has an AWS service principal but does not specify a source ARN. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. Set the source_arn value to the ARN of the AWS resource that invokes the function, eg. an S3 bucket, CloudWatch Events Rule, API Gateway, or SNS topic.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn)\\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission)\\n - [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html)\\n\",\"text\":\"The AWS Lambda permission has an AWS service principal but does not specify a source ARN. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. Set the source_arn value to the ARN of the AWS resource that invokes the function, eg. an S3 bucket, CloudWatch Events Rule, API Gateway, or SNS topic.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn\",\"id\":\"terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn\",\"name\":\"terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-732: Incorrect Permission Assignment for Critical Resource\",\"HIGH CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts.\"},\"help\":{\"markdown\":\"The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active)\\n - [https://cwe.mitre.org/data/definitions/778.html](https://cwe.mitre.org/data/definitions/778.html)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#mode](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#mode)\\n - [https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html](https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html)\\n\",\"text\":\"The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active\",\"id\":\"terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active\",\"name\":\"terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-778: Insufficient Logging\",\"MEDIUM CONFIDENCE\",\"OWASP-A09:2021 Security Logging and Monitoring Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\"},\"help\":{\"markdown\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\\n\",\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials\",\"id\":\"terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials\",\"name\":\"terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.\"},\"help\":{\"markdown\":\"Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec)\\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec)\\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec)\\n\",\"text\":\"Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec\",\"id\":\"terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec\",\"name\":\"terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)\",\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`.\"},\"help\":{\"markdown\":\"The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention\",\"id\":\"terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention\",\"name\":\"terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\"},\"help\":{\"markdown\":\"Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk\",\"id\":\"terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk\",\"name\":\"terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1220: Insufficient Granularity of Access Control\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure S3 bucket object is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\"},\"help\":{\"markdown\":\"Ensure S3 bucket object is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Ensure S3 bucket object is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk\",\"id\":\"terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk\",\"name\":\"terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\"},\"help\":{\"markdown\":\"Ensure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Ensure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk\",\"id\":\"terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk\",\"name\":\"terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure AWS Sagemaker domains are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\"},\"help\":{\"markdown\":\"Ensure AWS Sagemaker domains are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Ensure AWS Sagemaker domains are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk\",\"id\":\"terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk\",\"name\":\"terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"By default, AWS SecretManager secrets are encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your secrets in the Secret Manager. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\"},\"help\":{\"markdown\":\"By default, AWS SecretManager secrets are encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your secrets in the Secret Manager. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"By default, AWS SecretManager secrets are encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your secrets in the Secret Manager. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted\",\"id\":\"terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted\",\"name\":\"terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Wildcard used in your SQS queue policy principal. This grants access to all users, including anonymous users (public access). Unless you explicitly require anyone on the internet to be able to read or write to your queue, limit principals, actions and resources to what you need according to least privilege.\"},\"help\":{\"markdown\":\"Wildcard used in your SQS queue policy principal. This grants access to all users, including anonymous users (public access). Unless you explicitly require anyone on the internet to be able to read or write to your queue, limit principals, actions and resources to what you need according to least privilege.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal)\\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy)\\n - [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html)\\n\",\"text\":\"Wildcard used in your SQS queue policy principal. This grants access to all users, including anonymous users (public access). Unless you explicitly require anyone on the internet to be able to read or write to your queue, limit principals, actions and resources to what you need according to least privilege.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal\",\"id\":\"terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal\",\"name\":\"terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-732: Incorrect Permission Assignment for Critical Resource\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\"},\"help\":{\"markdown\":\"The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues\",\"id\":\"terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues\",\"name\":\"terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.\"},\"help\":{\"markdown\":\"Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch)\\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses)\\n\",\"text\":\"Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address\",\"id\":\"terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address\",\"name\":\"terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1220: Insufficient Granularity of Access Control\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure Timestream database is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\"},\"help\":{\"markdown\":\"Ensure Timestream database is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Ensure Timestream database is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk\",\"id\":\"terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk\",\"name\":\"terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Transfer Server endpoint type should not have public or null configured in order to block public access. To fix this, set your `endpoint_type` to `\\\"VPC\\\"`.\"},\"help\":{\"markdown\":\"Transfer Server endpoint type should not have public or null configured in order to block public access. To fix this, set your `endpoint_type` to `\\\"VPC\\\"`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Transfer Server endpoint type should not have public or null configured in order to block public access. To fix this, set your `endpoint_type` to `\\\"VPC\\\"`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public\",\"id\":\"terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public\",\"name\":\"terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1220: Insufficient Granularity of Access Control\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\"},\"help\":{\"markdown\":\"The AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"The AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted\",\"id\":\"terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted\",\"name\":\"terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\"},\"help\":{\"markdown\":\"The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted\",\"id\":\"terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted\",\"name\":\"terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `ssl_policy` to `\\\"ELBSecurityPolicy-TLS13-1-2-Res-2021-06\\\"`, or include a default action to redirect to HTTPS.\"},\"help\":{\"markdown\":\"Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `ssl_policy` to `\\\"ELBSecurityPolicy-TLS13-1-2-Res-2021-06\\\"`, or include a default action to redirect to HTTPS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version)\\n - [https://www.ietf.org/rfc/rfc5246.txt](https://www.ietf.org/rfc/rfc5246.txt)\\n\",\"text\":\"Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `ssl_policy` to `\\\"ELBSecurityPolicy-TLS13-1-2-Res-2021-06\\\"`, or include a default action to redirect to HTTPS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version\",\"id\":\"terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version\",\"name\":\"terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The AWS Athena Workgroup is unencrypted. Encryption protects query results in your workgroup. To enable, add: `encryption_configuration { encryption_option = \\\"SSE_KMS\\\" kms_key_arn = aws_kms_key.example.arn }` within `result_configuration { }` in your resource block, where `encryption_option` is your chosen encryption method and `kms_key_arn` is your KMS key ARN.\"},\"help\":{\"markdown\":\"The AWS Athena Workgroup is unencrypted. Encryption protects query results in your workgroup. To enable, add: `encryption_configuration { encryption_option = \\\"SSE_KMS\\\" kms_key_arn = aws_kms_key.example.arn }` within `result_configuration { }` in your resource block, where `encryption_option` is your chosen encryption method and `kms_key_arn` is your KMS key ARN.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"The AWS Athena Workgroup is unencrypted. Encryption protects query results in your workgroup. To enable, add: `encryption_configuration { encryption_option = \\\"SSE_KMS\\\" kms_key_arn = aws_kms_key.example.arn }` within `result_configuration { }` in your resource block, where `encryption_option` is your chosen encryption method and `kms_key_arn` is your KMS key ARN.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption\",\"id\":\"terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption\",\"name\":\"terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-320: CWE CATEGORY: Key Management Errors\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this.\"},\"help\":{\"markdown\":\"`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy)\\n - [https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy)\\n - [https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/](https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/)\\n\",\"text\":\"`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy\",\"id\":\"terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy\",\"name\":\"terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1220: Insufficient Granularity of Access Control\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`.\"},\"help\":{\"markdown\":\"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.wildcard-assume-role.wildcard-assume-role)\\n - [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/)\\n\",\"text\":\"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.aws.security.wildcard-assume-role.wildcard-assume-role\",\"id\":\"terraform.aws.security.wildcard-assume-role.wildcard-assume-role\",\"name\":\"terraform.aws.security.wildcard-assume-role.wildcard-assume-role\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-250: Execution with Unnecessary Privileges\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.aws.security.wildcard-assume-role.wildcard-assume-role\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Registering the identity used by an App with AD allows it to interact with other services without using username and password. Set the `identity` block in your appservice.\"},\"help\":{\"markdown\":\"Registering the identity used by an App with AD allows it to interact with other services without using username and password. Set the `identity` block in your appservice.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#identity)\\n\",\"text\":\"Registering the identity used by an App with AD allows it to interact with other services without using username and password. Set the `identity` block in your appservice.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered\",\"id\":\"terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered\",\"name\":\"terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-287: Improper Authentication\",\"LOW CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings\"},\"help\":{\"markdown\":\"Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#auth_settings](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#auth_settings)\\n\",\"text\":\"Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled\",\"id\":\"terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled\",\"name\":\"terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-287: Improper Authentication\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block\"},\"help\":{\"markdown\":\"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled)\\n\",\"text\":\"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2\",\"id\":\"terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2\",\"name\":\"terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"By default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting.\"},\"help\":{\"markdown\":\"By default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only)\\n - [https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https](https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https)\\n\",\"text\":\"By default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only\",\"id\":\"terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only\",\"name\":\"terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Detected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block.\"},\"help\":{\"markdown\":\"Detected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#client_cert_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#client_cert_enabled)\\n\",\"text\":\"Detected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert\",\"id\":\"terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert\",\"name\":\"terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-295: Improper Certificate Validation\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = \\\"1.2\\\"` in your resource block.\"},\"help\":{\"markdown\":\"Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = \\\"1.2\\\"` in your resource block.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version)\\n\",\"text\":\"Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = \\\"1.2\\\"` in your resource block.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy\",\"id\":\"terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy\",\"name\":\"terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings\"},\"help\":{\"markdown\":\"Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#enabled)\\n\",\"text\":\"Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled\",\"id\":\"terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled\",\"name\":\"terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-287: Improper Authentication\",\"LOW CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your function app resource block\"},\"help\":{\"markdown\":\"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your function app resource block\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#http2_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#http2_enabled)\\n\",\"text\":\"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your function app resource block\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2\",\"id\":\"terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2\",\"name\":\"terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Key vault Secret should have a content type set\"},\"help\":{\"markdown\":\"Key vault Secret should have a content type set\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#content_type](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#content_type)\\n - [https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets](https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets)\\n\",\"text\":\"Key vault Secret should have a content type set\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret\",\"id\":\"terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret\",\"name\":\"terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Ensure that the expiration date is set on all keys\"},\"help\":{\"markdown\":\"Ensure that the expiration date is set on all keys\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key#expiration_date](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key#expiration_date)\\n - [https://docs.microsoft.com/en-us/powershell/module/az.keyvault/update-azkeyvaultkey?view=azps-5.8.0#example-1--modify-a-key-to-enable-it--and-set-the-expiration-date-and-tags](https://docs.microsoft.com/en-us/powershell/module/az.keyvault/update-azkeyvaultkey?view=azps-5.8.0#example-1--modify-a-key-to-enable-it--and-set-the-expiration-date-and-tags)\\n\",\"text\":\"Ensure that the expiration date is set on all keys\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires\",\"id\":\"terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires\",\"name\":\"terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-262: Not Using Password Aging\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Ensure that the expiration date is set on all secrets\"},\"help\":{\"markdown\":\"Ensure that the expiration date is set on all secrets\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#expiration_date](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#expiration_date)\\n - [https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets](https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets)\\n\",\"text\":\"Ensure that the expiration date is set on all secrets\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires\",\"id\":\"terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires\",\"name\":\"terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-262: Not Using Password Aging\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Key vault should have purge protection enabled\"},\"help\":{\"markdown\":\"Key vault should have purge protection enabled\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#purge_protection_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#purge_protection_enabled)\\n - [https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview#purge-protection](https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview#purge-protection)\\n\",\"text\":\"Key vault should have purge protection enabled\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled\",\"id\":\"terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled\",\"name\":\"terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-693: Protection Mechanism Failure\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.\"},\"help\":{\"markdown\":\"Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls)\\n - [https://docs.microsoft.com/en-us/azure/key-vault/general/network-security](https://docs.microsoft.com/en-us/azure/key-vault/general/network-security)\\n\",\"text\":\"Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl\",\"id\":\"terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl\",\"name\":\"terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1220: Insufficient Granularity of Access Control\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Some Microsoft services that interact with storage accounts operate from networks that can\u0027t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules\"},\"help\":{\"markdown\":\"Some Microsoft services that interact with storage accounts operate from networks that can\u0027t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#bypass](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#bypass)\\n - [https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services](https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services)\\n\",\"text\":\"Some Microsoft services that interact with storage accounts operate from networks that can\u0027t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass\",\"id\":\"terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass\",\"name\":\"terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1220: Insufficient Granularity of Access Control\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected a Storage that was not configured to deny action by default. Add `default_action = \\\"Deny\\\"` in your resource block.\"},\"help\":{\"markdown\":\"Detected a Storage that was not configured to deny action by default. Add `default_action = \\\"Deny\\\"` in your resource block.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action)\\n - [https://docs.microsoft.com/en-us/azure/firewall/rule-processing](https://docs.microsoft.com/en-us/azure/firewall/rule-processing)\\n\",\"text\":\"Detected a Storage that was not configured to deny action by default. Add `default_action = \\\"Deny\\\"` in your resource block.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny\",\"id\":\"terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny\",\"name\":\"terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-16: CWE CATEGORY: Configuration\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block.\"},\"help\":{\"markdown\":\"Detected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-enforce-https.storage-enforce-https)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#enable_https_traffic_only](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#enable_https_traffic_only)\\n - [https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer](https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer)\\n\",\"text\":\"Detected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.azure.security.storage.storage-enforce-https.storage-enforce-https\",\"id\":\"terraform.azure.security.storage.storage-enforce-https.storage-enforce-https\",\"name\":\"terraform.azure.security.storage.storage-enforce-https.storage-enforce-https\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.azure.security.storage.storage-enforce-https.storage-enforce-https\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Storage Analytics logs detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.\"},\"help\":{\"markdown\":\"Storage Analytics logs detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#logging](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#logging)\\n - [https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?tabs=dotnet](https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?tabs=dotnet)\\n\",\"text\":\"Storage Analytics logs detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging\",\"id\":\"terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging\",\"name\":\"terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-778: Insufficient Logging\",\"LOW CONFIDENCE\",\"OWASP-A09:2021 - Security Logging and Monitoring Failures\",\"OWASP-A10:2017 - Insufficient Logging \u0026 Monitoring\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.\"},\"help\":{\"markdown\":\"Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy)\\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version)\\n - [https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version](https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version)\\n\",\"text\":\"Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy\",\"id\":\"terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy\",\"name\":\"terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure all Cloud SQL database instance require incoming connections to use SSL. To enable this for PostgresSQL and MySQL, use `ssl_mode=\\\"TRUSTED_CLIENT_CERTIFICATE_REQUIRED\\\"`.\"},\"help\":{\"markdown\":\"Ensure all Cloud SQL database instance require incoming connections to use SSL. To enable this for PostgresSQL and MySQL, use `ssl_mode=\\\"TRUSTED_CLIENT_CERTIFICATE_REQUIRED\\\"`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql)\\n - [https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration](https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Ensure all Cloud SQL database instance require incoming connections to use SSL. To enable this for PostgresSQL and MySQL, use `ssl_mode=\\\"TRUSTED_CLIENT_CERTIFICATE_REQUIRED\\\"`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql\",\"id\":\"terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql\",\"name\":\"terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure all Cloud SQL database instance require incoming connections to use SSL. For SQL Server, `ssl_mode=\\\"ENCRYPTED_ONLY\\\"` is the most secure value that is supported.\"},\"help\":{\"markdown\":\"Ensure all Cloud SQL database instance require incoming connections to use SSL. For SQL Server, `ssl_mode=\\\"ENCRYPTED_ONLY\\\"` is the most secure value that is supported.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver)\\n - [https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration](https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Ensure all Cloud SQL database instance require incoming connections to use SSL. For SQL Server, `ssl_mode=\\\"ENCRYPTED_ONLY\\\"` is the most secure value that is supported.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver\",\"id\":\"terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver\",\"name\":\"terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The ECR Repository isn\u0027t configured to scan images on push\"},\"help\":{\"markdown\":\"The ECR Repository isn\u0027t configured to scan images on push\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push)\\n - [https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components](https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components)\\n\",\"text\":\"The ECR Repository isn\u0027t configured to scan images on push\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push\",\"id\":\"terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push\",\"name\":\"terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1104: Use of Unmaintained Third Party Components\",\"LOW CONFIDENCE\",\"OWASP-A06:2021 - Vulnerable and Outdated Components\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Missing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs (\\\"api\\\") and audit logs (\\\"audit\\\") of the EKS control plane through the enabled_cluster_log_types attribute.\"},\"help\":{\"markdown\":\"Missing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs (\\\"api\\\") and audit logs (\\\"audit\\\") of the EKS control plane through the enabled_cluster_log_types attribute.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabling-control-plane-logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabling-control-plane-logging)\\n - [https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html](https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html)\\n\",\"text\":\"Missing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs (\\\"api\\\") and audit logs (\\\"audit\\\") of the EKS control plane through the enabled_cluster_log_types attribute.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging\",\"id\":\"terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging\",\"name\":\"terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-778: Insufficient Logging\",\"LOW CONFIDENCE\",\"OWASP-A09:2021 - Security Logging and Monitoring Failures\",\"OWASP-A10:2017 - Insufficient Logging \u0026 Monitoring\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access\"},\"help\":{\"markdown\":\"The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled\",\"id\":\"terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled\",\"name\":\"terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Encryption at rest is not enabled for the elastic search domain resource\"},\"help\":{\"markdown\":\"Encryption at rest is not enabled for the elastic search domain resource\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Encryption at rest is not enabled for the elastic search domain resource\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest\",\"id\":\"terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest\",\"name\":\"terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-311: Missing Encryption of Sensitive Data\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"IAM policies that allow full \\\"*-*\\\" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE\"},\"help\":{\"markdown\":\"IAM policies that allow full \\\"*-*\\\" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges)\\n - [https://github.com/bridgecrewio/checkov/blob/master/checkov/terraform/checks/data/aws/AdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/master/checkov/terraform/checks/data/aws/AdminPolicyDocument.py)\\n\",\"text\":\"IAM policies that allow full \\\"*-*\\\" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges\",\"id\":\"terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges\",\"name\":\"terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-269: Improper Privilege Management\",\"LOW CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure IAM policies don\u0027t allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn\u0027t return sensitive data as part of the API response.\"},\"help\":{\"markdown\":\"Ensure IAM policies don\u0027t allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn\u0027t return sensitive data as part of the API response.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure)\\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/](https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/)\\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py)\\n\",\"text\":\"Ensure IAM policies don\u0027t allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn\u0027t return sensitive data as part of the API response.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure\",\"id\":\"terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure\",\"name\":\"terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure that IAM policies don\u0027t allow data exfiltration actions that are not resource-constrained. This can allow the user to read sensitive data they don\u0027t need to read. Instead, make sure that the user granted these privileges are given these permissions on specific resources.\"},\"help\":{\"markdown\":\"Ensure that IAM policies don\u0027t allow data exfiltration actions that are not resource-constrained. This can allow the user to read sensitive data they don\u0027t need to read. Instead, make sure that the user granted these privileges are given these permissions on specific resources.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration)\\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMDataExfiltration.py)\\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/](https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/)\\n\",\"text\":\"Ensure that IAM policies don\u0027t allow data exfiltration actions that are not resource-constrained. This can allow the user to read sensitive data they don\u0027t need to read. Instead, make sure that the user granted these privileges are given these permissions on specific resources.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration\",\"id\":\"terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration\",\"name\":\"terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.\"},\"help\":{\"markdown\":\"Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs)\\n - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)\\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/)\\n\",\"text\":\"Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs\",\"id\":\"terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs\",\"name\":\"terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-250: Execution with Unnecessary Privileges\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure that IAM policies with permissions on other users don\u0027t allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE\"},\"help\":{\"markdown\":\"Ensure that IAM policies with permissions on other users don\u0027t allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users)\\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/)\\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py)\\n\",\"text\":\"Ensure that IAM policies with permissions on other users don\u0027t allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users\",\"id\":\"terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users\",\"name\":\"terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-269: Improper Privilege Management\",\"LOW CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure that groups of actions that include iam:PassRole and could result in privilege escalation are not all allowed for the same user. These actions could result in an attacker gaining full admin access of an AWS account. Try not to use these actions in conjuction.\"},\"help\":{\"markdown\":\"Ensure that groups of actions that include iam:PassRole and could result in privilege escalation are not all allowed for the same user. These actions could result in an attacker gaining full admin access of an AWS account. Try not to use these actions in conjuction.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles)\\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/)\\n - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)\\n\",\"text\":\"Ensure that groups of actions that include iam:PassRole and could result in privilege escalation are not all allowed for the same user. These actions could result in an attacker gaining full admin access of an AWS account. Try not to use these actions in conjuction.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles\",\"id\":\"terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles\",\"name\":\"terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-269: Improper Privilege Management\",\"LOW CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure IAM policies don\u0027t allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn\u0027t expose AWS resources.\"},\"help\":{\"markdown\":\"Ensure IAM policies don\u0027t allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn\u0027t expose AWS resources.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure)\\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/](https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/)\\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py)\\n\",\"text\":\"Ensure IAM policies don\u0027t allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn\u0027t expose AWS resources.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure\",\"id\":\"terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure\",\"name\":\"terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Ensure that no IAM policies allow \\\"*\\\" as a statement\u0027s actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take.\"},\"help\":{\"markdown\":\"Ensure that no IAM policies allow \\\"*\\\" as a statement\u0027s actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy)\\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py)\\n\",\"text\":\"Ensure that no IAM policies allow \\\"*\\\" as a statement\u0027s actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions\",\"id\":\"terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions\",\"name\":\"terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-269: Improper Privilege Management\",\"LOW CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.\"},\"help\":{\"markdown\":\"RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password)\\n - [https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password)\\n\",\"text\":\"RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code\",\"id\":\"terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code\",\"name\":\"terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"RDS instance accessible from the Internet detected.\"},\"help\":{\"markdown\":\"RDS instance accessible from the Internet detected.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.rds-public-access.rds-public-access)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible)\\n - [https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Hiding](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Hiding)\\n\",\"text\":\"RDS instance accessible from the Internet detected.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.lang.security.rds-public-access.rds-public-access\",\"id\":\"terraform.lang.security.rds-public-access.rds-public-access\",\"name\":\"terraform.lang.security.rds-public-access.rds-public-access\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1220: Insufficient Granularity of Access Control\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.lang.security.rds-public-access.rds-public-access\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"CORS rule on bucket permits any origin\"},\"help\":{\"markdown\":\"CORS rule on bucket permits any origin\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.s3-cors-all-origins.all-origins-allowed)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#using-cors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#using-cors)\\n\",\"text\":\"CORS rule on bucket permits any origin\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.lang.security.s3-cors-all-origins.all-origins-allowed\",\"id\":\"terraform.lang.security.s3-cors-all-origins.all-origins-allowed\",\"name\":\"terraform.lang.security.s3-cors-all-origins.all-origins-allowed\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-942: Permissive Cross-domain Policy with Untrusted Domains\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.lang.security.s3-cors-all-origins.all-origins-allowed\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"S3 bucket with public read access detected.\"},\"help\":{\"markdown\":\"S3 bucket with public read access detected.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl)\\n - [https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl)\\n\",\"text\":\"S3 bucket with public read access detected.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket\",\"id\":\"terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket\",\"name\":\"terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"S3 bucket with public read-write access detected.\"},\"help\":{\"markdown\":\"S3 bucket with public read-write access detected.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl)\\n - [https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl)\\n\",\"text\":\"S3 bucket with public read-write access detected.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket\",\"id\":\"terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket\",\"name\":\"terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info.\"},\"help\":{\"markdown\":\"This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket)\\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration)\\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html)\\n\",\"text\":\"This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket\",\"id\":\"terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket\",\"name\":\"terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-311: Missing Encryption of Sensitive Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference\"},\"help\":{\"markdown\":\"Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable)\\n - [https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/](https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/)\\n\",\"text\":\"Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable\",\"id\":\"trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable\",\"name\":\"trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-665: Improper Initialization\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Iteration over a possibly empty map `$C`. This is likely a bug or redundant code\"},\"help\":{\"markdown\":\"Iteration over a possibly empty map `$C`. This is likely a bug or redundant code\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map)\\n - [https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/](https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/)\\n\",\"text\":\"Iteration over a possibly empty map `$C`. This is likely a bug or redundant code\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map\",\"id\":\"trailofbits.go.iterate-over-empty-map.iterate-over-empty-map\",\"name\":\"trailofbits.go.iterate-over-empty-map.iterate-over-empty-map\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-665: Improper Initialization\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: trailofbits.go.iterate-over-empty-map.iterate-over-empty-map\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Missing `RUnlock` on an `RWMutex` (`$T` variable) lock before returning from a function\"},\"help\":{\"markdown\":\"Missing `RUnlock` on an `RWMutex` (`$T` variable) lock before returning from a function\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex)\\n - [https://pkg.go.dev/sync#RWMutex](https://pkg.go.dev/sync#RWMutex)\\n - [https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/](https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/)\\n\",\"text\":\"Missing `RUnlock` on an `RWMutex` (`$T` variable) lock before returning from a function\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex\",\"id\":\"trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex\",\"name\":\"trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-667: Improper Locking\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations\"},\"help\":{\"markdown\":\"Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return)\\n - [https://pkg.go.dev/sync#Mutex](https://pkg.go.dev/sync#Mutex)\\n - [https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/](https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/)\\n\",\"text\":\"Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return\",\"id\":\"trailofbits.go.missing-unlock-before-return.missing-unlock-before-return\",\"name\":\"trailofbits.go.missing-unlock-before-return.missing-unlock-before-return\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-667: Improper Locking\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: trailofbits.go.missing-unlock-before-return.missing-unlock-before-return\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Appending `$SLICE` from multiple goroutines is not concurrency safe\"},\"help\":{\"markdown\":\"Appending `$SLICE` from multiple goroutines is not concurrency safe\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.racy-append-to-slice.racy-append-to-slice)\\n - [https://go.dev/blog/maps#concurrency](https://go.dev/blog/maps#concurrency)\\n\",\"text\":\"Appending `$SLICE` from multiple goroutines is not concurrency safe\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/trailofbits.go.racy-append-to-slice.racy-append-to-slice\",\"id\":\"trailofbits.go.racy-append-to-slice.racy-append-to-slice\",\"name\":\"trailofbits.go.racy-append-to-slice.racy-append-to-slice\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: trailofbits.go.racy-append-to-slice.racy-append-to-slice\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Writing `$MAP` from multiple goroutines is not concurrency safe\"},\"help\":{\"markdown\":\"Writing `$MAP` from multiple goroutines is not concurrency safe\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.racy-write-to-map.racy-write-to-map)\\n - [https://go.dev/blog/maps#concurrency](https://go.dev/blog/maps#concurrency)\\n\",\"text\":\"Writing `$MAP` from multiple goroutines is not concurrency safe\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/trailofbits.go.racy-write-to-map.racy-write-to-map\",\"id\":\"trailofbits.go.racy-write-to-map.racy-write-to-map\",\"name\":\"trailofbits.go.racy-write-to-map.racy-write-to-map\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: trailofbits.go.racy-write-to-map.racy-write-to-map\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does not handle `nil` argument, as the `ServerCodec` interface requires. An incorrect implementation could lead to denial of service\"},\"help\":{\"markdown\":\"The `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does not handle `nil` argument, as the `ServerCodec` interface requires. An incorrect implementation could lead to denial of service\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil)\\n - [https://github.com/golang/go/blob/go1.15.2/src/net/rpc/server.go#L643-L658](https://github.com/golang/go/blob/go1.15.2/src/net/rpc/server.go#L643-L658)\\n\",\"text\":\"The `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does not handle `nil` argument, as the `ServerCodec` interface requires. An incorrect implementation could lead to denial of service\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil\",\"id\":\"trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil\",\"name\":\"trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-476: NULL Pointer Dereference\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Downcasting or changing sign of an integer with `$CAST_METHOD` method\"},\"help\":{\"markdown\":\"Downcasting or changing sign of an integer with `$CAST_METHOD` method\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast)\\n - [https://github.com/golang/go/issues/30209](https://github.com/golang/go/issues/30209)\\n\",\"text\":\"Downcasting or changing sign of an integer with `$CAST_METHOD` method\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast\",\"id\":\"trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast\",\"name\":\"trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-681: Incorrect Conversion between Numeric Types\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended\"},\"help\":{\"markdown\":\"A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied)\\n - [https://go101.org/article/concurrent-common-mistakes.html](https://go101.org/article/concurrent-common-mistakes.html)\\n\",\"text\":\"A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied\",\"id\":\"trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied\",\"name\":\"trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-688: Function Call With Incorrect Variable or Reference as Argument\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Calling `$WG.Add` inside of an anonymous goroutine may result in `$WG.Wait`\\nwaiting for more or less calls to `$WG.Done()` than expected\\n\"},\"help\":{\"markdown\":\"Calling `$WG.Add` inside of an anonymous goroutine may result in `$WG.Wait`\\nwaiting for more or less calls to `$WG.Done()` than expected\\n\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine)\\n - [https://go101.org/article/concurrent-common-mistakes.html](https://go101.org/article/concurrent-common-mistakes.html)\\n\",\"text\":\"Calling `$WG.Add` inside of an anonymous goroutine may result in `$WG.Wait`\\nwaiting for more or less calls to `$WG.Done()` than expected\\n\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine\",\"id\":\"trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine\",\"name\":\"trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-667: Improper Locking\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Calling `$WG.Wait()` inside a loop blocks the call to `$WG.Done()`\"},\"help\":{\"markdown\":\"Calling `$WG.Wait()` inside a loop blocks the call to `$WG.Done()`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop)\\n - [https://go101.org/article/concurrent-common-mistakes.html](https://go101.org/article/concurrent-common-mistakes.html)\\n\",\"text\":\"Calling `$WG.Wait()` inside a loop blocks the call to `$WG.Done()`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop\",\"id\":\"trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop\",\"name\":\"trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-667: Improper Locking\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency\"},\"help\":{\"markdown\":\"If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning)\\n - [https://pytorch.org/docs/stable/data.html#memory-pinning](https://pytorch.org/docs/stable/data.html#memory-pinning)\\n\",\"text\":\"If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning\",\"id\":\"trailofbits.python.automatic-memory-pinning.automatic-memory-pinning\",\"name\":\"trailofbits.python.automatic-memory-pinning.automatic-memory-pinning\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-676: Use of Potentially Dangerous Function\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: trailofbits.python.automatic-memory-pinning.automatic-memory-pinning\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found usage of the `$FLAVOR` library, which is vulnerable to attacks such as XML external entity (XXE) attacks\"},\"help\":{\"markdown\":\"Found usage of the `$FLAVOR` library, which is vulnerable to attacks such as XML external entity (XXE) attacks\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.lxml-in-pandas.lxml-in-pandas)\\n - [https://lxml.de/FAQ.html](https://lxml.de/FAQ.html)\\n\",\"text\":\"Found usage of the `$FLAVOR` library, which is vulnerable to attacks such as XML external entity (XXE) attacks\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/trailofbits.python.lxml-in-pandas.lxml-in-pandas\",\"id\":\"trailofbits.python.lxml-in-pandas.lxml-in-pandas\",\"name\":\"trailofbits.python.lxml-in-pandas.lxml-in-pandas\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: trailofbits.python.lxml-in-pandas.lxml-in-pandas\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Usage of NumPy library inside PyTorch `$MODULE` module was found. Avoid mixing these libraries for efficiency and proper ONNX loading\"},\"help\":{\"markdown\":\"Usage of NumPy library inside PyTorch `$MODULE` module was found. Avoid mixing these libraries for efficiency and proper ONNX loading\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules)\\n - [https://tanelp.github.io/posts/a-bug-that-plagues-thousands-of-open-source-ml-projects](https://tanelp.github.io/posts/a-bug-that-plagues-thousands-of-open-source-ml-projects)\\n\",\"text\":\"Usage of NumPy library inside PyTorch `$MODULE` module was found. Avoid mixing these libraries for efficiency and proper ONNX loading\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules\",\"id\":\"trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules\",\"name\":\"trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"MEDIUM CONFIDENCE\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method\"},\"help\":{\"markdown\":\"Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.pickles-in-numpy.pickles-in-numpy)\\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\\n\",\"text\":\"Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/trailofbits.python.pickles-in-numpy.pickles-in-numpy\",\"id\":\"trailofbits.python.pickles-in-numpy.pickles-in-numpy\",\"name\":\"trailofbits.python.pickles-in-numpy.pickles-in-numpy\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: trailofbits.python.pickles-in-numpy.pickles-in-numpy\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method\"},\"help\":{\"markdown\":\"Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.pickles-in-pandas.pickles-in-pandas)\\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\\n\",\"text\":\"Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/trailofbits.python.pickles-in-pandas.pickles-in-pandas\",\"id\":\"trailofbits.python.pickles-in-pandas.pickles-in-pandas\",\"name\":\"trailofbits.python.pickles-in-pandas.pickles-in-pandas\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: trailofbits.python.pickles-in-pandas.pickles-in-pandas\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX\"},\"help\":{\"markdown\":\"Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch)\\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\\n\",\"text\":\"Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch\",\"id\":\"trailofbits.python.pickles-in-pytorch.pickles-in-pytorch\",\"name\":\"trailofbits.python.pickles-in-pytorch.pickles-in-pytorch\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: trailofbits.python.pickles-in-pytorch.pickles-in-pytorch\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker\"},\"help\":{\"markdown\":\"Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal)\\n - [https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall](https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall)\\n\",\"text\":\"Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal\",\"id\":\"trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal\",\"name\":\"trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected the use of `$TRUST`. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use `$TRUST`, ensure it does not come from user-input or use the appropriate prevention mechanism e.g. input validation or sanitization depending on the context.\"},\"help\":{\"markdown\":\"Detected the use of `$TRUST`. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use `$TRUST`, ensure it does not come from user-input or use the appropriate prevention mechanism e.g. input validation or sanitization depending on the context.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust)\\n - [https://angular.io/api/platform-browser/DomSanitizer](https://angular.io/api/platform-browser/DomSanitizer)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Detected the use of `$TRUST`. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use `$TRUST`, ensure it does not come from user-input or use the appropriate prevention mechanism e.g. input validation or sanitization depending on the context.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust\",\"id\":\"typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust\",\"name\":\"typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Add \\\"encryption: $Y.BucketEncryption.KMS_MANAGED\\\" or \\\"encryption: $Y.BucketEncryption.S3_MANAGED\\\" to the bucket props for Bucket construct $X\"},\"help\":{\"markdown\":\"Add \\\"encryption: $Y.BucketEncryption.KMS_MANAGED\\\" or \\\"encryption: $Y.BucketEncryption.S3_MANAGED\\\" to the bucket props for Bucket construct $X\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption)\\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\\n\",\"text\":\"Add \\\"encryption: $Y.BucketEncryption.KMS_MANAGED\\\" or \\\"encryption: $Y.BucketEncryption.S3_MANAGED\\\" to the bucket props for Bucket construct $X\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption\",\"id\":\"typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption\",\"name\":\"typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-311: Missing Encryption of Sensitive Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \\\"enforceSSL\\\" should be set to true\"},\"help\":{\"markdown\":\"Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \\\"enforceSSL\\\" should be set to true\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl)\\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\\n\",\"text\":\"Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \\\"enforceSSL\\\" should be set to true\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl\",\"id\":\"typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl\",\"name\":\"typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Queue $X is missing encryption at rest. Add \\\"encryption: $Y.QueueEncryption.KMS\\\" or \\\"encryption: $Y.QueueEncryption.KMS_MANAGED\\\" to the queue props to enable encryption at rest for the queue.\"},\"help\":{\"markdown\":\"Queue $X is missing encryption at rest. Add \\\"encryption: $Y.QueueEncryption.KMS\\\" or \\\"encryption: $Y.QueueEncryption.KMS_MANAGED\\\" to the queue props to enable encryption at rest for the queue.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue)\\n - [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-data-protection.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-data-protection.html)\\n\",\"text\":\"Queue $X is missing encryption at rest. Add \\\"encryption: $Y.QueueEncryption.KMS\\\" or \\\"encryption: $Y.QueueEncryption.KMS_MANAGED\\\" to the queue props to enable encryption at rest for the queue.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue\",\"id\":\"typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue\",\"name\":\"typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-311: Missing Encryption of Sensitive Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Using the GrantPublicAccess method on bucket contruct $X will make the objects in the bucket world accessible. Verify if this is intentional.\"},\"help\":{\"markdown\":\"Using the GrantPublicAccess method on bucket contruct $X will make the objects in the bucket world accessible. Verify if this is intentional.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod)\\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html)\\n\",\"text\":\"Using the GrantPublicAccess method on bucket contruct $X will make the objects in the bucket world accessible. Verify if this is intentional.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod\",\"id\":\"typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod\",\"name\":\"typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-306: Missing Authentication for Critical Function\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project.\"},\"help\":{\"markdown\":\"CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public)\\n - [https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html](https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html)\\n\",\"text\":\"CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public\",\"id\":\"typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public\",\"name\":\"typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-306: Missing Authentication for Critical Function\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Unescaped \u0027.\u0027 character in CORS domain regex $CORS: $PATTERN\"},\"help\":{\"markdown\":\"Unescaped \u0027.\u0027 character in CORS domain regex $CORS: $PATTERN\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Unescaped \u0027.\u0027 character in CORS domain regex $CORS: $PATTERN\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard\",\"id\":\"typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard\",\"name\":\"typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-183: Permissive List of Allowed Inputs\",\"LOW CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Access-Control-Allow-Origin response header is set to \\\"*\\\". This will disable CORS Same Origin Policy restrictions.\"},\"help\":{\"markdown\":\"Access-Control-Allow-Origin response header is set to \\\"*\\\". This will disable CORS Same Origin Policy restrictions.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Access-Control-Allow-Origin response header is set to \\\"*\\\". This will disable CORS Same Origin Policy restrictions.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any\",\"id\":\"typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any\",\"name\":\"typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-183: Permissive List of Allowed Inputs\",\"LOW CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"X-XSS-Protection header is set to 0. This will disable the browser\u0027s XSS Filter.\"},\"help\":{\"markdown\":\"X-XSS-Protection header is set to 0. This will disable the browser\u0027s XSS Filter.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"X-XSS-Protection header is set to 0. This will disable the browser\u0027s XSS Filter.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled\",\"id\":\"typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled\",\"name\":\"typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Untrusted user input in {url: ...} can result in Open Redirect vulnerability.\"},\"help\":{\"markdown\":\"Untrusted user input in {url: ...} can result in Open Redirect vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Untrusted user input in {url: ...} can result in Open Redirect vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect\",\"id\":\"typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect\",\"name\":\"typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detection of dangerouslySetInnerHTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\"},\"help\":{\"markdown\":\"Detection of dangerouslySetInnerHTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml)\\n - [https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html](https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html)\\n\",\"text\":\"Detection of dangerouslySetInnerHTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml\",\"id\":\"typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml\",\"name\":\"typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Property decoded from JWT token without verifying and cannot be trustworthy.\"},\"help\":{\"markdown\":\"Property decoded from JWT token without verifying and cannot be trustworthy.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property)\\n - [https://pragmaticwebsecurity.com/articles/oauthoidc/localstorage-xss.html](https://pragmaticwebsecurity.com/articles/oauthoidc/localstorage-xss.html)\\n\",\"text\":\"Property decoded from JWT token without verifying and cannot be trustworthy.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property\",\"id\":\"typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property\",\"name\":\"typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-922: Insecure Storage of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie.\"},\"help\":{\"markdown\":\"Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage)\\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies)\\n\",\"text\":\"Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage\",\"id\":\"typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage\",\"name\":\"typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-922: Insecure Storage of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\"},\"help\":{\"markdown\":\"Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method)\\n - [https://developer.mozilla.org/en-US/docs/Web/API/Document/writeln](https://developer.mozilla.org/en-US/docs/Web/API/Document/writeln)\\n - [https://developer.mozilla.org/en-US/docs/Web/API/Document/write](https://developer.mozilla.org/en-US/docs/Web/API/Document/write)\\n - [https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML)\\n\",\"text\":\"Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method\",\"id\":\"typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method\",\"name\":\"typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Unencrypted request over HTTP detected.\"},\"help\":{\"markdown\":\"Unencrypted request over HTTP detected.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request)\\n - [https://www.npmjs.com/package/axios](https://www.npmjs.com/package/axios)\\n\",\"text\":\"Unencrypted request over HTTP detected.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request\",\"id\":\"typescript.react.security.react-insecure-request.react-insecure-request\",\"name\":\"typescript.react.security.react-insecure-request.react-insecure-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: typescript.react.security.react-insecure-request.react-insecure-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors.\"},\"help\":{\"markdown\":\"Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html)\\n - [https://www.npmjs.com/package/react-markdown#security](https://www.npmjs.com/package/react-markdown#security)\\n\",\"text\":\"Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html\",\"id\":\"typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html\",\"name\":\"typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Using input or workflow parameters in here-scripts can lead to command injection or code injection. Convert the parameters to env variables instead.\"},\"help\":{\"markdown\":\"Using input or workflow parameters in here-scripts can lead to command injection or code injection. Convert the parameters to env variables instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection)\\n - [https://github.com/argoproj/argo-workflows/issues/5061](https://github.com/argoproj/argo-workflows/issues/5061)\\n - [https://github.com/argoproj/argo-workflows/issues/5114#issue-808865370](https://github.com/argoproj/argo-workflows/issues/5114#issue-808865370)\\n\",\"text\":\"Using input or workflow parameters in here-scripts can lead to command injection or code injection. Convert the parameters to env variables instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection\",\"id\":\"yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection\",\"name\":\"yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 \u2013 Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Exposing host\u0027s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove \u0027docker.sock\u0027 from volumes to prevent this.\"},\"help\":{\"markdown\":\"Exposing host\u0027s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove \u0027docker.sock\u0027 from volumes to prevent this.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume)\\n - [https://docs.docker.com/compose/compose-file/compose-file-v3/#volume-configuration-reference](https://docs.docker.com/compose/compose-file/compose-file-v3/#volume-configuration-reference)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers)\\n\",\"text\":\"Exposing host\u0027s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove \u0027docker.sock\u0027 from volumes to prevent this.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume\",\"id\":\"yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume\",\"name\":\"yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-250: Execution with Unnecessary Privileges\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Service \u0027$SERVICE\u0027 allows for privilege escalation via setuid or setgid binaries. Add \u0027no-new-privileges:true\u0027 in \u0027security_opt\u0027 to prevent this.\"},\"help\":{\"markdown\":\"Service \u0027$SERVICE\u0027 allows for privilege escalation via setuid or setgid binaries. Add \u0027no-new-privileges:true\u0027 in \u0027security_opt\u0027 to prevent this.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges)\\n - [https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/)\\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\\n\",\"text\":\"Service \u0027$SERVICE\u0027 allows for privilege escalation via setuid or setgid binaries. Add \u0027no-new-privileges:true\u0027 in \u0027security_opt\u0027 to prevent this.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges\",\"id\":\"yaml.docker-compose.security.no-new-privileges.no-new-privileges\",\"name\":\"yaml.docker-compose.security.no-new-privileges.no-new-privileges\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-732: Incorrect Permission Assignment for Critical Resource\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.docker-compose.security.no-new-privileges.no-new-privileges\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Service \u0027$SERVICE\u0027 is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the \u0027privileged\u0027 key to disable this capability.\"},\"help\":{\"markdown\":\"Service \u0027$SERVICE\u0027 is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the \u0027privileged\u0027 key to disable this capability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service)\\n - [https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html](https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html)\\n - [https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/](https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/)\\n\",\"text\":\"Service \u0027$SERVICE\u0027 is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the \u0027privileged\u0027 key to disable this capability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service\",\"id\":\"yaml.docker-compose.security.privileged-service.privileged-service\",\"name\":\"yaml.docker-compose.security.privileged-service.privileged-service\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-250: Execution with Unnecessary Privileges\",\"HIGH CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.docker-compose.security.privileged-service.privileged-service\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Service \u0027$SERVICE\u0027 is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove \u0027seccomp:unconfined\u0027 to prevent this.\"},\"help\":{\"markdown\":\"Service \u0027$SERVICE\u0027 is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove \u0027seccomp:unconfined\u0027 to prevent this.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled)\\n - [https://docs.docker.com/engine/security/seccomp/](https://docs.docker.com/engine/security/seccomp/)\\n\",\"text\":\"Service \u0027$SERVICE\u0027 is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove \u0027seccomp:unconfined\u0027 to prevent this.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled\",\"id\":\"yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled\",\"name\":\"yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-284: Improper Access Control\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Service \u0027$SERVICE\u0027 is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove \u0027label:disable\u0027 to prevent this.\"},\"help\":{\"markdown\":\"Service \u0027$SERVICE\u0027 is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove \u0027label:disable\u0027 to prevent this.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled)\\n - [https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/](https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/)\\n - [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration)\\n\",\"text\":\"Service \u0027$SERVICE\u0027 is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove \u0027label:disable\u0027 to prevent this.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled\",\"id\":\"yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled\",\"name\":\"yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-284: Improper Access Control\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Service \u0027$SERVICE\u0027 is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add \u0027read_only: true\u0027 to this service to prevent this.\"},\"help\":{\"markdown\":\"Service \u0027$SERVICE\u0027 is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add \u0027read_only: true\u0027 to this service to prevent this.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service)\\n - [https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir](https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir)\\n - [https://blog.atomist.com/security-of-docker-kubernetes/](https://blog.atomist.com/security-of-docker-kubernetes/)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only)\\n\",\"text\":\"Service \u0027$SERVICE\u0027 is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add \u0027read_only: true\u0027 to this service to prevent this.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service\",\"id\":\"yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service\",\"name\":\"yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-732: Incorrect Permission Assignment for Critical Resource\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The environment variable `ACTIONS_ALLOW_UNSECURE_COMMANDS` grants this workflow permissions to use the `set-env` and `add-path` commands. There is a vulnerability in these commands that could result in environment variables being modified by an attacker. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. This could result in stolen code or secrets. Don\u0027t use `ACTIONS_ALLOW_UNSECURE_COMMANDS`. Instead, use Environment Files. See https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files for more information.\"},\"help\":{\"markdown\":\"The environment variable `ACTIONS_ALLOW_UNSECURE_COMMANDS` grants this workflow permissions to use the `set-env` and `add-path` commands. There is a vulnerability in these commands that could result in environment variables being modified by an attacker. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. This could result in stolen code or secrets. Don\u0027t use `ACTIONS_ALLOW_UNSECURE_COMMANDS`. Instead, use Environment Files. See https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands)\\n - [https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/](https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/)\\n - [https://github.com/actions/toolkit/security/advisories/GHSA-mfwh-5m23-j46w](https://github.com/actions/toolkit/security/advisories/GHSA-mfwh-5m23-j46w)\\n - [https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files](https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files)\\n\",\"text\":\"The environment variable `ACTIONS_ALLOW_UNSECURE_COMMANDS` grants this workflow permissions to use the `set-env` and `add-path` commands. There is a vulnerability in these commands that could result in environment variables being modified by an attacker. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. This could result in stolen code or secrets. Don\u0027t use `ACTIONS_ALLOW_UNSECURE_COMMANDS`. Instead, use Environment Files. See https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands\",\"id\":\"yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands\",\"name\":\"yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-749: Exposed Dangerous Method or Function\",\"MEDIUM CONFIDENCE\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\"},\"help\":{\"markdown\":\"Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.curl-eval.curl-eval)\\n - [https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\\n\",\"text\":\"Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.github-actions.security.curl-eval.curl-eval\",\"id\":\"yaml.github-actions.security.curl-eval.curl-eval\",\"name\":\"yaml.github-actions.security.curl-eval.curl-eval\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.github-actions.security.curl-eval.curl-eval\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`\u0027s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \\\"$ENVVAR\\\".\"},\"help\":{\"markdown\":\"Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`\u0027s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \\\"$ENVVAR\\\".\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection)\\n - [https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\\n - [https://securitylab.github.com/research/github-actions-untrusted-input/](https://securitylab.github.com/research/github-actions-untrusted-input/)\\n - [https://github.com/actions/github-script](https://github.com/actions/github-script)\\n\",\"text\":\"Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`\u0027s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \\\"$ENVVAR\\\".\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection\",\"id\":\"yaml.github-actions.security.github-script-injection.github-script-injection\",\"name\":\"yaml.github-actions.security.github-script-injection.github-script-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.github-actions.security.github-script-injection.github-script-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This GitHub Actions workflow file uses `pull_request_target` and checks out code from the incoming pull request. When using `pull_request_target`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you\u0027re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\"},\"help\":{\"markdown\":\"This GitHub Actions workflow file uses `pull_request_target` and checks out code from the incoming pull request. When using `pull_request_target`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you\u0027re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout)\\n - [https://securitylab.github.com/research/github-actions-preventing-pwn-requests/](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)\\n - [https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md](https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md)\\n\",\"text\":\"This GitHub Actions workflow file uses `pull_request_target` and checks out code from the incoming pull request. When using `pull_request_target`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you\u0027re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout\",\"id\":\"yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout\",\"name\":\"yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-913: Improper Control of Dynamically-Managed Code Resources\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \\\"$ENVVAR\\\".\"},\"help\":{\"markdown\":\"Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \\\"$ENVVAR\\\".\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection)\\n - [https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\\n - [https://securitylab.github.com/research/github-actions-untrusted-input/](https://securitylab.github.com/research/github-actions-untrusted-input/)\\n\",\"text\":\"Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \\\"$ENVVAR\\\".\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection\",\"id\":\"yaml.github-actions.security.run-shell-injection.run-shell-injection\",\"name\":\"yaml.github-actions.security.run-shell-injection.run-shell-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you\u0027re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\"},\"help\":{\"markdown\":\"This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you\u0027re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout)\\n - [https://securitylab.github.com/research/github-actions-preventing-pwn-requests/](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)\\n - [https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md](https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md)\\n - [https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)\\n\",\"text\":\"This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you\u0027re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout\",\"id\":\"yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout\",\"name\":\"yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-913: Improper Control of Dynamically-Managed Code Resources\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\"},\"help\":{\"markdown\":\"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext)\\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\\n\",\"text\":\"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext\",\"id\":\"yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext\",\"name\":\"yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-732: Incorrect Permission Assignment for Critical Resource\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks.\"},\"help\":{\"markdown\":\"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true)\\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\\n\",\"text\":\"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true\",\"id\":\"yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true\",\"name\":\"yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-732: Incorrect Permission Assignment for Critical Resource\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` parameter to your the `securityContext`, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\"},\"help\":{\"markdown\":\"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` parameter to your the `securityContext`, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation)\\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\\n\",\"text\":\"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` parameter to your the `securityContext`, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation\",\"id\":\"yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation\",\"name\":\"yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-732: Incorrect Permission Assignment for Critical Resource\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Do not set FLASK_ENV to \\\"development\\\" since that sets `debug=True` in Flask. Use \\\"dev\\\" or a similar term instead.\"},\"help\":{\"markdown\":\"Do not set FLASK_ENV to \\\"development\\\" since that sets `debug=True` in Flask. Use \\\"dev\\\" or a similar term instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled)\\n - [https://flask.palletsprojects.com/en/2.0.x/debugging/](https://flask.palletsprojects.com/en/2.0.x/debugging/)\\n - [https://flask.palletsprojects.com/en/2.0.x/config/#ENV](https://flask.palletsprojects.com/en/2.0.x/config/#ENV)\\n\",\"text\":\"Do not set FLASK_ENV to \\\"development\\\" since that sets `debug=True` in Flask. Use \\\"dev\\\" or a similar term instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled\",\"id\":\"yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled\",\"name\":\"yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-489: Active Debug Code\",\"LOW CONFIDENCE\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Exposing host\u0027s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove \u0027docker.sock\u0027 from hostpath to prevent this.\"},\"help\":{\"markdown\":\"Exposing host\u0027s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove \u0027docker.sock\u0027 from hostpath to prevent this.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath)\\n - [https://kubernetes.io/docs/concepts/storage/volumes/#hostpath](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath)\\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems)\\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers)\\n\",\"text\":\"Exposing host\u0027s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove \u0027docker.sock\u0027 from hostpath to prevent this.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath\",\"id\":\"yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath\",\"name\":\"yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-250: Execution with Unnecessary Privileges\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Pod is sharing the host IPC namespace. This allows container processes to communicate with processes on the host which reduces isolation and bypasses container protection models. Remove the \u0027hostIPC\u0027 key to disable this functionality.\"},\"help\":{\"markdown\":\"Pod is sharing the host IPC namespace. This allows container processes to communicate with processes on the host which reduces isolation and bypasses container protection models. Remove the \u0027hostIPC\u0027 key to disable this functionality.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostipc-pod.hostipc-pod)\\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\\n\",\"text\":\"Pod is sharing the host IPC namespace. This allows container processes to communicate with processes on the host which reduces isolation and bypasses container protection models. Remove the \u0027hostIPC\u0027 key to disable this functionality.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.kubernetes.security.hostipc-pod.hostipc-pod\",\"id\":\"yaml.kubernetes.security.hostipc-pod.hostipc-pod\",\"name\":\"yaml.kubernetes.security.hostipc-pod.hostipc-pod\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-693: Protection Mechanism Failure\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.kubernetes.security.hostipc-pod.hostipc-pod\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the \u0027hostNetwork\u0027 key to disable this functionality.\"},\"help\":{\"markdown\":\"Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the \u0027hostNetwork\u0027 key to disable this functionality.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod)\\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\\n\",\"text\":\"Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the \u0027hostNetwork\u0027 key to disable this functionality.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod\",\"id\":\"yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod\",\"name\":\"yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-406: Insufficient Control of Network Message Volume (Network Amplification)\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the \u0027hostPID\u0027 key to disable this functionality.\"},\"help\":{\"markdown\":\"Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the \u0027hostPID\u0027 key to disable this functionality.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod)\\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\\n\",\"text\":\"Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the \u0027hostPID\u0027 key to disable this functionality.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod\",\"id\":\"yaml.kubernetes.security.hostpid-pod.hostpid-pod\",\"name\":\"yaml.kubernetes.security.hostpid-pod.hostpid-pod\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-269: Improper Privilege Management\",\"LOW CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.kubernetes.security.hostpid-pod.hostpid-pod\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. Attaching excessive permissions to a ClusterRole associated with the core namespace allows the V1 API to perform arbitrary actions on arbitrary resources attached to the cluster. Prefer explicit allowlists of verbs/resources when configuring the core API namespace. \"},\"help\":{\"markdown\":\"Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. Attaching excessive permissions to a ClusterRole associated with the core namespace allows the V1 API to perform arbitrary actions on arbitrary resources attached to the cluster. Prefer explicit allowlists of verbs/resources when configuring the core API namespace. \\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions)\\n - [https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole)\\n - [https://kubernetes.io/docs/concepts/security/rbac-good-practices/#general-good-practice](https://kubernetes.io/docs/concepts/security/rbac-good-practices/#general-good-practice)\\n - [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#api-groups](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#api-groups)\\n\",\"text\":\"Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. Attaching excessive permissions to a ClusterRole associated with the core namespace allows the V1 API to perform arbitrary actions on arbitrary resources attached to the cluster. Prefer explicit allowlists of verbs/resources when configuring the core API namespace. \\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions\",\"id\":\"yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions\",\"name\":\"yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-269: Improper Privilege Management\",\"HIGH CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the \u0027privileged\u0027 key to disable this capability.\"},\"help\":{\"markdown\":\"Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the \u0027privileged\u0027 key to disable this capability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.privileged-container.privileged-container)\\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged)\\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)\\n\",\"text\":\"Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the \u0027privileged\u0027 key to disable this capability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.kubernetes.security.privileged-container.privileged-container\",\"id\":\"yaml.kubernetes.security.privileged-container.privileged-container\",\"name\":\"yaml.kubernetes.security.privileged-container.privileged-container\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-250: Execution with Unnecessary Privileges\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.kubernetes.security.privileged-container.privileged-container\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"When running containers in Kubernetes, it\u0027s important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\"},\"help\":{\"markdown\":\"When running containers in Kubernetes, it\u0027s important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root.run-as-non-root)\\n - [https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/](https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/)\\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user)\\n\",\"text\":\"When running containers in Kubernetes, it\u0027s important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root.run-as-non-root\",\"id\":\"yaml.kubernetes.security.run-as-non-root.run-as-non-root\",\"name\":\"yaml.kubernetes.security.run-as-non-root.run-as-non-root\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-250: Execution with Unnecessary Privileges\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.kubernetes.security.run-as-non-root.run-as-non-root\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Container is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove \u0027seccompProfile: unconfined\u0027 to prevent this.\"},\"help\":{\"markdown\":\"Container is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove \u0027seccompProfile: unconfined\u0027 to prevent this.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled)\\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp)\\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\\n\",\"text\":\"Container is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove \u0027seccompProfile: unconfined\u0027 to prevent this.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled\",\"id\":\"yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled\",\"name\":\"yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-284: Improper Access Control\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the \u0027insecure-skip-tls-verify: true\u0027 key to secure communication.\"},\"help\":{\"markdown\":\"Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the \u0027insecure-skip-tls-verify: true\u0027 key to secure communication.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster)\\n - [https://kubernetes.io/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-Cluster](https://kubernetes.io/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-Cluster)\\n\",\"text\":\"Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the \u0027insecure-skip-tls-verify: true\u0027 key to secure communication.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster\",\"id\":\"yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster\",\"name\":\"yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the \u0027insecureSkipTLSVerify: true\u0027 key to secure communication.\"},\"help\":{\"markdown\":\"Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the \u0027insecureSkipTLSVerify: true\u0027 key to secure communication.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service)\\n - [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io)\\n\",\"text\":\"Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the \u0027insecureSkipTLSVerify: true\u0027 key to secure communication.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service\",\"id\":\"yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service\",\"name\":\"yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found \u0027x-openai-isConsequential: false\u0027 in a state-changing HTTP method: $METHOD $PATH. This Action configuration will enable the \u0027Always Allow\u0027 option for state-changing HTTP methods, such as POST, PUT, PATCH, or DELETE. The risk of a user selecting the \u0027Always Allow\u0027 button is that the agent could perform unintended actions on behalf of the user. When working with sensitive functionality, it is always best to include a Human In The Loop (HITL) type of control. Consider the trade-off between security and user friction and then make a risk-based decision about this function.\"},\"help\":{\"markdown\":\"Found \u0027x-openai-isConsequential: false\u0027 in a state-changing HTTP method: $METHOD $PATH. This Action configuration will enable the \u0027Always Allow\u0027 option for state-changing HTTP methods, such as POST, PUT, PATCH, or DELETE. The risk of a user selecting the \u0027Always Allow\u0027 button is that the agent could perform unintended actions on behalf of the user. When working with sensitive functionality, it is always best to include a Human In The Loop (HITL) type of control. Consider the trade-off between security and user friction and then make a risk-based decision about this function.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false)\\n - [https://platform.openai.com/docs/actions/consequential-flag](https://platform.openai.com/docs/actions/consequential-flag)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\\n - [https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-2023-v1_1.pdf](https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-2023-v1_1.pdf)\\n\",\"text\":\"Found \u0027x-openai-isConsequential: false\u0027 in a state-changing HTTP method: $METHOD $PATH. This Action configuration will enable the \u0027Always Allow\u0027 option for state-changing HTTP methods, such as POST, PUT, PATCH, or DELETE. The risk of a user selecting the \u0027Always Allow\u0027 button is that the agent could perform unintended actions on behalf of the user. When working with sensitive functionality, it is always best to include a Human In The Loop (HITL) type of control. Consider the trade-off between security and user friction and then make a risk-based decision about this function.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false\",\"id\":\"yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false\",\"name\":\"yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A04:2021 Insecure Design\",\"OWASP-LLM08:2023 - Excessive Agency\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS.\"},\"help\":{\"markdown\":\"Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication)\\n - [https://cwe.mitre.org/data/definitions/287.html](https://cwe.mitre.org/data/definitions/287.html)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\\n\",\"text\":\"Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication\",\"id\":\"yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication\",\"name\":\"yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-287: Improper Authentication\",\"HIGH CONFIDENCE\",\"OWASP-A04:2021 Insecure Design\",\"OWASP-A07:2021 Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication\"}}],\"semanticVersion\":\"1.143.1\"}}}],\"$schema\":\"https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json\"}\n",
"sarif": {
"$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json",
"runs": [
{
"invocations": [
{
"executionSuccessful": true,
"toolExecutionNotifications": [
{
"descriptor": {
"id": "Syntax error"
},
"level": "warning",
"message": {
"text": "Syntax error at line /app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/Dockerfile:9:\n `apt-get update \u0026\u0026 apt-get install -y \\\r\n gcc \\\r\n curl \\\r\n libxml2-dev \\\r\n libxslt-dev \\\r\n python3-dev \\\r\n \u0026\u0026 rm -rf /var/lib/apt/lists/* \u0026\u0026 break || \\\r\n (echo \"Retry $i: Failed to install system dependencies\" \u0026\u0026 sleep 2); \\\r\n done\r\n\r\n# Upgrade pip and install build tools with fallback\r\nRUN pip install --no-cache-dir --upgrade pip setuptools wheel || \\\r\n (echo \"WARNING: Failed to upgrade pip/setuptools, continuing with defaults\" \u0026\u0026 true)\r\n\r\n# Copy requirements first for better caching\r\nCOPY requirements.txt .\r\n\r\n# Install Python dependencies with multiple fallback strategies\r\nRUN echo \"=== Installing Python dependencies ===\" \u0026\u0026 \\\r\n (pip install --no-cache-dir -r requirements.txt \u0026\u0026 echo \"\u2713 Dependencies installed successfully\") || \\\r\n (echo \"\u26a0 First attempt failed, trying with --use-deprecated=legacy-resolver\" \u0026\u0026 \\\r\n pip install --no-cache-dir --use-deprecated=legacy-resolver -r requirements.txt) || \\\r\n (echo \"\u26a0 Second attempt failed, trying packages individually\" \u0026\u0026 \\\r\n cat requirements.txt | grep -v \u0027^#\u0027 | grep -v \u0027^$\u0027 | while read pkg; do \\\r\n echo \"Installing $pkg...\" \u0026\u0026 \\\r\n pip install --no-cache-dir \"$pkg\" || echo \"WARNING: Failed to install $pkg\"; \\\r\n done) || \\\r\n (echo \"ERROR: Failed to install dependencies. Image may be incomplete.\" \u0026\u0026 exit 1)\r\n\r\n# Verify critical Flask dependencies are installed\r\nRUN python -c \"import flask; print(f\u0027\u2713 Flask {flask.__version__} installed\u0027)\" || \\\r\n (echo \"ERROR: Flask not installed. Installing Flask as fallback...\" \u0026\u0026 \\\r\n pip install --no-cache-dir Flask\u003e=3.0.0 \u0026\u0026 \\\r\n python -c \"import flask; print(f\u0027\u2713 Flask {flask.__version__} installed (fallback)\u0027)\")\r\n\r\n# Copy application code\r\nCOPY . .\r\n\r\n# Create data directory for SQLite databases with proper permissions\r\nRUN mkdir -p /app/data \u0026\u0026 chmod 777 /app/data\r\n\r\n# Validate app.py exists and has no syntax errors with detailed feedback\r\nRUN if [ ! -f app.py ]; then \\\r\n echo \"ERROR: app.py not found in /app di... (truncated 2052 more characters)"
}
},
{
"descriptor": {
"id": "Syntax error"
},
"level": "warning",
"message": {
"text": "Syntax error at line /app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/frontend/Dockerfile:11:\n `apk add --no-cache python3 make g++ \u0026\u0026 break || \\\r\n (echo \"Retry $i: Failed to install build tools\" \u0026\u0026 sleep 2); \\\r\n done || true\r\n\r\n# Copy package files\r\nCOPY package.json ./\r\n\r\n# Upgrade npm with fallback\r\nRUN npm install -g npm@latest || \\\r\n (echo \"WARNING: Could not upgrade npm, using existing version $(npm -v)\" \u0026\u0026 true)\r\n\r\n# Install dependencies with multiple fallback strategies\r\nRUN echo \"=== Installing Node dependencies ===\" \u0026\u0026 \\\r\n echo \"Node version: $(node -v)\" \u0026\u0026 \\\r\n echo \"NPM version: $(npm -v)\" \u0026\u0026 \\\r\n (npm ci 2\u003e/dev/null \u0026\u0026 echo \"\u2713 npm ci succeeded\") || \\\r\n (echo \"\u26a0 npm ci failed (no package-lock.json), trying npm install...\" \u0026\u0026 \\\r\n npm install \u0026\u0026 echo \"\u2713 npm install succeeded\") || \\\r\n (echo \"\u26a0 npm install failed, trying with legacy peer deps...\" \u0026\u0026 \\\r\n npm install --legacy-peer-deps \u0026\u0026 echo \"\u2713 Install with legacy-peer-deps succeeded\") || \\\r\n (echo \"\u26a0 Trying to install packages individually...\" \u0026\u0026 \\\r\n npm install react react-dom axios \u0026\u0026 \\\r\n npm install -D vite @vitejs/plugin-react \u0026\u0026 \\\r\n echo \"\u2713 Individual package install completed\") || \\\r\n (echo \"ERROR: All installation strategies failed\" \u0026\u0026 exit 1)\r\n\r\n# Verify critical dependencies\r\nRUN node -e \"require(\u0027react\u0027); console.log(\u0027\u2713 React installed\u0027);\" || \\\r\n (echo \"WARNING: React verification failed\" \u0026\u0026 true)\r\nRUN node -e \"require(\u0027vite\u0027); console.log(\u0027\u2713 Vite installed\u0027);\" || \\\r\n (echo \"WARNING: Vite verification failed\" \u0026\u0026 true)\r\n\r\n# Copy source code\r\nCOPY . .\r\n\r\n# Verify required files exist\r\nRUN if [ ! -f index.html ]; then \\\r\n echo \"ERROR: index.html not found\" \u0026\u0026 exit 1; \\\r\n fi \u0026\u0026 \\\r\n if [ ! -f vite.config.js ]; then \\\r\n echo \"WARNING: vite.config.js not found, creating minimal config\" \u0026\u0026 \\\r\n echo \u0027import { defineConfig } from \"vite\"; export default defineConfig({});\u0027 \u003e vite.config.js; \\\r\n fi \u0026\u0026 \\\r\n if [ ! -d src ]; then \\\r\n echo \"ERROR: src directory not found\" \u0026\u0026 exit 1; \\\r\n fi\r\n\r\n# Build the application with fallbacks\r\nRUN e... (truncated 3823 more characters)"
}
}
]
}
],
"results": [
{
"fingerprints": {
"matchBasedId/v1": "requires login"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "/app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 39,
"endLine": 144,
"snippet": {
"text": " app.run(host=\u00270.0.0.0\u0027, port=port)"
},
"startColumn": 5,
"startLine": 144
}
}
}
],
"message": {
"text": "Running flask app with host 0.0.0.0 could expose the server publicly."
},
"properties": {},
"ruleId": "python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host"
},
{
"fingerprints": {
"matchBasedId/v1": "requires login"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "/app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/frontend/nginx.conf",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 47,
"endLine": 24,
"snippet": {
"text": " proxy_http_version 1.1;\n proxy_set_header Upgrade $http_upgrade;\n proxy_set_header Connection \u0027upgrade\u0027;"
},
"startColumn": 9,
"startLine": 22
}
}
}
],
"message": {
"text": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers."
},
"properties": {},
"ruleId": "generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling"
}
],
"tool": {
"driver": {
"name": "Semgrep OSS",
"rules": [
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity."
},
"help": {
"markdown": "Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval",
"id": "bash.curl.security.curl-eval.curl-eval",
"name": "bash.curl.security.curl-eval.curl-eval",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: bash.curl.security.curl-eval.curl-eval"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity."
},
"help": {
"markdown": "Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/bash.curl.security.curl-pipe-bash.curl-pipe-bash)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/bash.curl.security.curl-pipe-bash.curl-pipe-bash",
"id": "bash.curl.security.curl-pipe-bash.curl-pipe-bash",
"name": "bash.curl.security.curl-pipe-bash.curl-pipe-bash",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: bash.curl.security.curl-pipe-bash.curl-pipe-bash"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The special variable IFS affects how splitting takes place when expanding unquoted variables. Don\u0027t set it globally. Prefer a dedicated utility such as \u0027cut\u0027 or \u0027awk\u0027 if you need to split input data. If you must use \u0027read\u0027, set IFS locally using e.g. \u0027IFS=\",\" read -a my_array\u0027."
},
"help": {
"markdown": "The special variable IFS affects how splitting takes place when expanding unquoted variables. Don\u0027t set it globally. Prefer a dedicated utility such as \u0027cut\u0027 or \u0027awk\u0027 if you need to split input data. If you must use \u0027read\u0027, set IFS locally using e.g. \u0027IFS=\",\" read -a my_array\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/bash.lang.security.ifs-tampering.ifs-tampering)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "The special variable IFS affects how splitting takes place when expanding unquoted variables. Don\u0027t set it globally. Prefer a dedicated utility such as \u0027cut\u0027 or \u0027awk\u0027 if you need to split input data. If you must use \u0027read\u0027, set IFS locally using e.g. \u0027IFS=\",\" read -a my_array\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/bash.lang.security.ifs-tampering.ifs-tampering",
"id": "bash.lang.security.ifs-tampering.ifs-tampering",
"name": "bash.lang.security.ifs-tampering.ifs-tampering",
"properties": {
"precision": "very-high",
"tags": [
"CWE-20: Improper Input Validation",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: bash.lang.security.ifs-tampering.ifs-tampering"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Avoid \u0027gets()\u0027. This function does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 or \u0027gets_s()\u0027 instead."
},
"help": {
"markdown": "Avoid \u0027gets()\u0027. This function does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 or \u0027gets_s()\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn)\n - [https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s](https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s)\n",
"text": "Avoid \u0027gets()\u0027. This function does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 or \u0027gets_s()\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn",
"id": "c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn",
"name": "c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn",
"properties": {
"precision": "very-high",
"tags": [
"CWE-676: Use of Potentially Dangerous Function",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid using \u0027scanf()\u0027. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 instead for reading input."
},
"help": {
"markdown": "Avoid using \u0027scanf()\u0027. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 instead for reading input.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn)\n - [http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html](http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html)\n",
"text": "Avoid using \u0027scanf()\u0027. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 instead for reading input.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn",
"id": "c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn",
"name": "c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn",
"properties": {
"precision": "very-high",
"tags": [
"CWE-676: Use of Potentially Dangerous Function",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid using \u0027strtok()\u0027. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use \u0027strtok_r()\u0027 instead."
},
"help": {
"markdown": "Avoid using \u0027strtok()\u0027. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use \u0027strtok_r()\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR06-C.+Do+not+assume+that+strtok%28%29+leaves+the+parse+string+unchanged](https://wiki.sei.cmu.edu/confluence/display/c/STR06-C.+Do+not+assume+that+strtok%28%29+leaves+the+parse+string+unchanged)\n - [https://man7.org/linux/man-pages/man3/strtok.3.html#BUGS](https://man7.org/linux/man-pages/man3/strtok.3.html#BUGS)\n - [https://stackoverflow.com/a/40335556](https://stackoverflow.com/a/40335556)\n",
"text": "Avoid using \u0027strtok()\u0027. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use \u0027strtok_r()\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn",
"id": "c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn",
"name": "c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn",
"properties": {
"precision": "very-high",
"tags": [
"CWE-676: Use of Potentially Dangerous Function",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Call to \u0027read()\u0027 without error checking is susceptible to file descriptor exhaustion. Consider using the \u0027getrandom()\u0027 function."
},
"help": {
"markdown": "Call to \u0027read()\u0027 without error checking is susceptible to file descriptor exhaustion. Consider using the \u0027getrandom()\u0027 function.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.random-fd-exhaustion.random-fd-exhaustion)\n - [https://lwn.net/Articles/606141/](https://lwn.net/Articles/606141/)\n",
"text": "Call to \u0027read()\u0027 without error checking is susceptible to file descriptor exhaustion. Consider using the \u0027getrandom()\u0027 function.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/c.lang.security.random-fd-exhaustion.random-fd-exhaustion",
"id": "c.lang.security.random-fd-exhaustion.random-fd-exhaustion",
"name": "c.lang.security.random-fd-exhaustion.random-fd-exhaustion",
"properties": {
"precision": "very-high",
"tags": [
"CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: c.lang.security.random-fd-exhaustion.random-fd-exhaustion"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."
},
"help": {
"markdown": "DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n",
"text": "DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe",
"id": "clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe",
"name": "clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms."
},
"help": {
"markdown": "MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n",
"text": "MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5",
"id": "clojure.lang.security.use-of-md5.use-of-md5",
"name": "clojure.lang.security.use-of-md5.use-of-md5",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: clojure.lang.security.use-of-md5.use-of-md5"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."
},
"help": {
"markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n",
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1",
"id": "clojure.lang.security.use-of-sha1.use-of-sha1",
"name": "clojure.lang.security.use-of-sha1.use-of-sha1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"CWE-328: Use of Weak Hash",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: clojure.lang.security.use-of-sha1.use-of-sha1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application."
},
"help": {
"markdown": "Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment)\n - [https://cwe.mitre.org/data/definitions/915.html](https://cwe.mitre.org/data/definitions/915.html)\n - [https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md)\n",
"text": "Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment",
"id": "csharp.dotnet.security.audit.mass-assignment.mass-assignment",
"name": "csharp.dotnet.security.audit.mass-assignment.mass-assignment",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"MEDIUM CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.dotnet.security.audit.mass-assignment.mass-assignment"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls."
},
"help": {
"markdown": "$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery)\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests)\n",
"text": "$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery",
"id": "csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery",
"name": "csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from `\u003ccompilation ... /\u003e`"
},
"help": {
"markdown": "ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from `\u003ccompilation ... /\u003e`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug)\n - [https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/](https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/)\n - [https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx](https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx)\n",
"text": "ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from `\u003ccompilation ... /\u003e`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug",
"id": "csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug",
"name": "csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug",
"properties": {
"precision": "very-high",
"tags": [
"CWE-11: ASP.NET Misconfiguration: Creating Debug Binary",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information."
},
"help": {
"markdown": "OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled)\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance)\n - [https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx](https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx)\n",
"text": "OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled",
"id": "csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled",
"name": "csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1323: Improper Management of Sensitive Trace Data",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process."
},
"help": {
"markdown": "User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection)\n - [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)\n",
"text": "User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection",
"id": "csharp.dotnet.security.razor-template-injection.razor-template-injection",
"name": "csharp.dotnet.security.razor-template-injection.razor-template-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.dotnet.security.razor-template-injection.razor-template-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305."
},
"help": {
"markdown": "Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_ecb_mode.use_ecb_mode)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes)\n",
"text": "Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.dotnet.security.use_ecb_mode.use_ecb_mode",
"id": "csharp.dotnet.security.use_ecb_mode.use_ecb_mode",
"name": "csharp.dotnet.security.use_ecb_mode.use_ecb_mode",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.dotnet.security.use_ecb_mode.use_ecb_mode"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead."
},
"help": {
"markdown": "You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks](https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key)\n",
"text": "You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration",
"id": "csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration",
"name": "csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration",
"properties": {
"precision": "very-high",
"tags": [
"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections."
},
"help": {
"markdown": "Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings)\n - [https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies](https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN\u0026view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN\u0026view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN\u0026view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN\u0026view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL)\n",
"text": "Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings",
"id": "csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings",
"name": "csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings",
"properties": {
"precision": "very-high",
"tags": [
"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used."
},
"help": {
"markdown": "The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n - [https://cwe.mitre.org/data/definitions/613.html](https://cwe.mitre.org/data/definitions/613.html)\n - [https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet](https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet)\n",
"text": "The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation",
"id": "csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation",
"name": "csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-613: Insufficient Session Expiration",
"HIGH CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead."
},
"help": {
"markdown": "Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8)\n",
"text": "Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation",
"id": "csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation",
"name": "csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal."
},
"help": {
"markdown": "String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine)\n - [https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/](https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks)\n",
"text": "String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine",
"id": "csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine",
"name": "csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\"."
},
"help": {
"markdown": "The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\".\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0)\n",
"text": "The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\".\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings",
"id": "csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings",
"name": "csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings",
"properties": {
"precision": "very-high",
"tags": [
"CWE-706: Use of Incorrectly-Resolved Name or Reference",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component."
},
"help": {
"markdown": "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.injections.os-command.os-command-injection)\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\n",
"text": "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.injections.os-command.os-command-injection",
"id": "csharp.lang.security.injections.os-command.os-command-injection",
"name": "csharp.lang.security.injections.os-command.os-command-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.injections.os-command.os-command-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. BinaryFormatter is insecure and can\u0027t be made secure"
},
"help": {
"markdown": "The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. BinaryFormatter is insecure and can\u0027t be made secure\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide](https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide)\n",
"text": "The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. BinaryFormatter is insecure and can\u0027t be made secure\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization",
"id": "csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization",
"name": "csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"HIGH CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior."
},
"help": {
"markdown": "Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver)\n - [https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide](https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide)\n",
"text": "Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver",
"id": "csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver",
"name": "csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe"
},
"help": {
"markdown": "$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization)\n - [https://github.com/mgholam/fastJSON#security-warning-update](https://github.com/mgholam/fastJSON#security-warning-update)\n",
"text": "$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization",
"id": "csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization",
"name": "csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability."
},
"help": {
"markdown": "The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization)\n - [https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution](https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution)\n",
"text": "The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization",
"id": "csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization",
"name": "csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf"
},
"help": {
"markdown": "Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0)\n - [https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html](https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html)\n",
"text": "Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full",
"id": "csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full",
"name": "csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server."
},
"help": {
"markdown": "The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks)\n",
"text": "The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization",
"id": "csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization",
"name": "csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. LosFormatter is insecure and can\u0027t be made secure"
},
"help": {
"markdown": "The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. LosFormatter is insecure and can\u0027t be made secure\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8)\n",
"text": "The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. LosFormatter is insecure and can\u0027t be made secure\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization",
"id": "csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization",
"name": "csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. NetDataContractSerializer is insecure and can\u0027t be made secure"
},
"help": {
"markdown": "The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. NetDataContractSerializer is insecure and can\u0027t be made secure\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security)\n",
"text": "The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. NetDataContractSerializer is insecure and can\u0027t be made secure\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization",
"id": "csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization",
"name": "csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None."
},
"help": {
"markdown": "TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization)\n - [https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm#remarks](https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm#remarks)\n",
"text": "TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization",
"id": "csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization",
"name": "csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. SoapFormatter is insecure and can\u0027t be made secure"
},
"help": {
"markdown": "The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. SoapFormatter is insecure and can\u0027t be made secure\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks)\n",
"text": "The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. SoapFormatter is insecure and can\u0027t be made secure\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization",
"id": "csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization",
"name": "csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked."
},
"help": {
"markdown": "MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0)\n",
"text": "MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span",
"id": "csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span",
"name": "csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span",
"properties": {
"precision": "very-high",
"tags": [
"CWE-125: Out-of-bounds Read",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0"
},
"help": {
"markdown": "Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0)\n",
"text": "Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout",
"id": "csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout",
"name": "csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1333: Inefficient Regular Expression Complexity",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack"
},
"help": {
"markdown": "When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples](https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples)\n",
"text": "When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos",
"id": "csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos",
"name": "csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1333: Inefficient Regular Expression Complexity",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using \u0027SqlCommand\u0027 and \u0027SqlParameter\u0027."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using \u0027SqlCommand\u0027 and \u0027SqlParameter\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using \u0027SqlCommand\u0027 and \u0027SqlParameter\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli",
"id": "csharp.lang.security.sqli.csharp-sqli.csharp-sqli",
"name": "csharp.lang.security.sqli.csharp-sqli.csharp-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.sqli.csharp-sqli.csharp-sqli"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself."
},
"help": {
"markdown": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.http-client.ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.ssrf.http-client.ssrf",
"id": "csharp.lang.security.ssrf.http-client.ssrf",
"name": "csharp.lang.security.ssrf.http-client.ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.ssrf.http-client.ssrf"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself."
},
"help": {
"markdown": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.rest-client.ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.ssrf.rest-client.ssrf",
"id": "csharp.lang.security.ssrf.rest-client.ssrf",
"name": "csharp.lang.security.ssrf.rest-client.ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.ssrf.rest-client.ssrf"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself."
},
"help": {
"markdown": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.web-client.ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.ssrf.web-client.ssrf",
"id": "csharp.lang.security.ssrf.web-client.ssrf",
"name": "csharp.lang.security.ssrf.web-client.ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.ssrf.web-client.ssrf"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name)."
},
"help": {
"markdown": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf",
"id": "csharp.lang.security.ssrf.web-request.ssrf",
"name": "csharp.lang.security.ssrf.web-request.ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.ssrf.web-request.ssrf"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering."
},
"help": {
"markdown": "Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure)\n - [https://cwe.mitre.org/data/definitions/209.html](https://cwe.mitre.org/data/definitions/209.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n",
"text": "Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure",
"id": "csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure",
"name": "csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-209: Generation of Error Message Containing Sensitive Information",
"HIGH CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data."
},
"help": {
"markdown": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n",
"text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override",
"id": "csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override",
"name": "csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"MEDIUM CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data."
},
"help": {
"markdown": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n",
"text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override",
"id": "csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override",
"name": "csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"MEDIUM CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data."
},
"help": {
"markdown": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n",
"text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults",
"id": "csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults",
"name": "csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"MEDIUM CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `\u003c/script\u003e` is not properly encoded."
},
"help": {
"markdown": "Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `\u003c/script\u003e` is not properly encoded.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `\u003c/script\u003e` is not properly encoded.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json",
"id": "csharp.razor.security.html-raw-json.html-raw-json",
"name": "csharp.razor.security.html-raw-json.html-raw-json",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.razor.security.html-raw-json.html-raw-json"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "When `--extra-index-url` is used in a `pip install` command, this is usually meant to install a package from a package index other than the public one. However, if a package is added with the same name to the public PyPi repository, and if the version number is high enough, this package will be installed when building this docker image. This package may be a malicious dependency. Such an attack is called a dependency confusion attack. If using a private package index, prefer to use `--index-url` if possible. "
},
"help": {
"markdown": "When `--extra-index-url` is used in a `pip install` command, this is usually meant to install a package from a package index other than the public one. However, if a package is added with the same name to the public PyPi repository, and if the version number is high enough, this package will be installed when building this docker image. This package may be a malicious dependency. Such an attack is called a dependency confusion attack. If using a private package index, prefer to use `--index-url` if possible. \n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url)\n - [https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-extra-index-url](https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-extra-index-url)\n - [https://github.com/semgrep/semgrep-rules/issues/3032](https://github.com/semgrep/semgrep-rules/issues/3032)\n",
"text": "When `--extra-index-url` is used in a `pip install` command, this is usually meant to install a package from a package index other than the public one. However, if a package is added with the same name to the public PyPi repository, and if the version number is high enough, this package will be installed when building this docker image. This package may be a malicious dependency. Such an attack is called a dependency confusion attack. If using a private package index, prefer to use `--index-url` if possible. \n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url",
"id": "dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url",
"name": "dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url",
"properties": {
"precision": "very-high",
"tags": [
"CWE-427: Uncontrolled Search Path Element",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine."
},
"help": {
"markdown": "The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)\n - [https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/](https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/)\n - [https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html](https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html)\n",
"text": "The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount",
"id": "dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount",
"name": "dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"CWE-862: Missing Authorization",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The last user in the container is \u0027root\u0027. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as \u0027root\u0027."
},
"help": {
"markdown": "The last user in the container is \u0027root\u0027. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as \u0027root\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root)\n - [https://github.com/hadolint/hadolint/wiki/DL3002](https://github.com/hadolint/hadolint/wiki/DL3002)\n",
"text": "The last user in the container is \u0027root\u0027. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as \u0027root\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root",
"id": "dockerfile.security.last-user-is-root.last-user-is-root",
"name": "dockerfile.security.last-user-is-root.last-user-is-root",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: dockerfile.security.last-user-is-root.last-user-is-root"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027."
},
"help": {
"markdown": "By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint",
"id": "dockerfile.security.missing-user-entrypoint.missing-user-entrypoint",
"name": "dockerfile.security.missing-user-entrypoint.missing-user-entrypoint",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027."
},
"help": {
"markdown": "By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user.missing-user)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/dockerfile.security.missing-user.missing-user",
"id": "dockerfile.security.missing-user.missing-user",
"name": "dockerfile.security.missing-user.missing-user",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: dockerfile.security.missing-user.missing-user"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities."
},
"help": {
"markdown": "Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile)\n - [https://cwe.mitre.org/data/definitions/250.html](https://cwe.mitre.org/data/definitions/250.html)\n - [https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user)\n",
"text": "Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile",
"id": "dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile",
"name": "dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"HIGH CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Semgrep found a bash reverse shell"
},
"help": {
"markdown": "Semgrep found a bash reverse shell\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Semgrep found a bash reverse shell\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell",
"id": "generic.ci.security.bash-reverse-shell.bash_reverse_shell",
"name": "generic.ci.security.bash-reverse-shell.bash_reverse_shell",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.ci.security.bash-reverse-shell.bash_reverse_shell"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., \u0027/\u0027). To fix, add a path separator to the end of the path."
},
"help": {
"markdown": "The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., \u0027/\u0027). To fix, add a path separator to the end of the path.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/)\n - [https://www.youtube.com/watch?v=CIhHpkybYsY](https://www.youtube.com/watch?v=CIhHpkybYsY)\n - [https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf](https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf)\n",
"text": "The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., \u0027/\u0027). To fix, add a path separator to the end of the path.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal",
"id": "generic.nginx.security.alias-path-traversal.alias-path-traversal",
"name": "generic.nginx.security.alias-path-traversal.alias-path-traversal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.alias-path-traversal.alias-path-traversal"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with \u0027map\u0027 or something similar."
},
"help": {
"markdown": "The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with \u0027map\u0027 or something similar.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host)\n - [https://nginx.org/en/docs/http/ngx_http_map_module.html](https://nginx.org/en/docs/http/ngx_http_map_module.html)\n",
"text": "The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with \u0027map\u0027 or something similar.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host",
"id": "generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host",
"name": "generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host",
"properties": {
"precision": "very-high",
"tags": [
"CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy."
},
"help": {
"markdown": "The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n",
"text": "The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme",
"id": "generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme",
"name": "generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme",
"properties": {
"precision": "very-high",
"tags": [
"CWE-16: CWE CATEGORY: Configuration",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: \u0027[^\\s]+\u0027."
},
"help": {
"markdown": "The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: \u0027[^\\s]+\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md)\n - [https://owasp.org/www-community/attacks/HTTP_Response_Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n",
"text": "The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: \u0027[^\\s]+\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection",
"id": "generic.nginx.security.header-injection.header-injection",
"name": "generic.nginx.security.header-injection.header-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.header-injection.header-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The \u0027add_header\u0027 directive is called in a \u0027location\u0027 block after headers have been set at the server block. Calling \u0027add_header\u0027 in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block."
},
"help": {
"markdown": "The \u0027add_header\u0027 directive is called in a \u0027location\u0027 block after headers have been set at the server block. Calling \u0027add_header\u0027 in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-redefinition.header-redefinition)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md)\n",
"text": "The \u0027add_header\u0027 directive is called in a \u0027location\u0027 block after headers have been set at the server block. Calling \u0027add_header\u0027 in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.header-redefinition.header-redefinition",
"id": "generic.nginx.security.header-redefinition.header-redefinition",
"name": "generic.nginx.security.header-redefinition.header-redefinition",
"properties": {
"precision": "very-high",
"tags": [
"CWE-16: CWE CATEGORY: Configuration",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.header-redefinition.header-redefinition"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the \u0027https\u0027 scheme."
},
"help": {
"markdown": "Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the \u0027https\u0027 scheme.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the \u0027https\u0027 scheme.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect",
"id": "generic.nginx.security.insecure-redirect.insecure-redirect",
"name": "generic.nginx.security.insecure-redirect.insecure-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.insecure-redirect.insecure-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later."
},
"help": {
"markdown": "Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/](https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/)\n",
"text": "Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version",
"id": "generic.nginx.security.insecure-ssl-version.insecure-ssl-version",
"name": "generic.nginx.security.insecure-ssl-version.insecure-ssl-version",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.insecure-ssl-version.insecure-ssl-version"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This location block contains a \u0027proxy_pass\u0027 directive but does not contain the \u0027internal\u0027 directive. The \u0027internal\u0027 directive restricts access to this location to internal requests. Without \u0027internal\u0027, an attacker could use your server for server-side request forgeries (SSRF). Include the \u0027internal\u0027 directive in this block to limit exposure."
},
"help": {
"markdown": "This location block contains a \u0027proxy_pass\u0027 directive but does not contain the \u0027internal\u0027 directive. The \u0027internal\u0027 directive restricts access to this location to internal requests. Without \u0027internal\u0027, an attacker could use your server for server-side request forgeries (SSRF). Include the \u0027internal\u0027 directive in this block to limit exposure.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n - [https://nginx.org/en/docs/http/ngx_http_core_module.html#internal](https://nginx.org/en/docs/http/ngx_http_core_module.html#internal)\n",
"text": "This location block contains a \u0027proxy_pass\u0027 directive but does not contain the \u0027internal\u0027 directive. The \u0027internal\u0027 directive restricts access to this location to internal requests. Without \u0027internal\u0027, an attacker could use your server for server-side request forgeries (SSRF). Include the \u0027internal\u0027 directive in this block to limit exposure.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal",
"id": "generic.nginx.security.missing-internal.missing-internal",
"name": "generic.nginx.security.missing-internal.missing-internal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-16: CWE CATEGORY: Configuration",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.missing-internal.missing-internal"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This server configuration is missing the \u0027ssl_protocols\u0027 directive. By default, this server will use \u0027ssl_protocols TLSv1 TLSv1.1 TLSv1.2\u0027, and versions older than TLSv1.2 are known to be broken. Explicitly specify \u0027ssl_protocols TLSv1.2 TLSv1.3\u0027 to use secure TLS versions."
},
"help": {
"markdown": "This server configuration is missing the \u0027ssl_protocols\u0027 directive. By default, this server will use \u0027ssl_protocols TLSv1 TLSv1.1 TLSv1.2\u0027, and versions older than TLSv1.2 are known to be broken. Explicitly specify \u0027ssl_protocols TLSv1.2 TLSv1.3\u0027 to use secure TLS versions.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-ssl-version.missing-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://nginx.org/en/docs/http/configuring_https_servers.html](https://nginx.org/en/docs/http/configuring_https_servers.html)\n",
"text": "This server configuration is missing the \u0027ssl_protocols\u0027 directive. By default, this server will use \u0027ssl_protocols TLSv1 TLSv1.1 TLSv1.2\u0027, and versions older than TLSv1.2 are known to be broken. Explicitly specify \u0027ssl_protocols TLSv1.2 TLSv1.3\u0027 to use secure TLS versions.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.missing-ssl-version.missing-ssl-version",
"id": "generic.nginx.security.missing-ssl-version.missing-ssl-version",
"name": "generic.nginx.security.missing-ssl-version.missing-ssl-version",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.missing-ssl-version.missing-ssl-version"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers."
},
"help": {
"markdown": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling)\n - [https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c](https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c)\n",
"text": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling",
"id": "generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling",
"name": "generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling",
"properties": {
"precision": "very-high",
"tags": [
"CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Amazon MWS Auth Token detected"
},
"help": {
"markdown": "Amazon MWS Auth Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Amazon MWS Auth Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token",
"id": "generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token",
"name": "generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Artifactory token detected"
},
"help": {
"markdown": "Artifactory token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-artifactory-password.detected-artifactory-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Artifactory token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-artifactory-password.detected-artifactory-password",
"id": "generic.secrets.security.detected-artifactory-password.detected-artifactory-password",
"name": "generic.secrets.security.detected-artifactory-password.detected-artifactory-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-artifactory-password.detected-artifactory-password"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Artifactory token detected"
},
"help": {
"markdown": "Artifactory token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-artifactory-token.detected-artifactory-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Artifactory token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-artifactory-token.detected-artifactory-token",
"id": "generic.secrets.security.detected-artifactory-token.detected-artifactory-token",
"name": "generic.secrets.security.detected-artifactory-token.detected-artifactory-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-artifactory-token.detected-artifactory-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file."
},
"help": {
"markdown": "AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value",
"id": "generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value",
"name": "generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "AWS Account ID detected. While not considered sensitive information, it is important to use them and share them carefully. For that reason it would be preferrable avoiding to hardcoded it here. Instead, read the value from an environment variable or keep the value in a separate, private file."
},
"help": {
"markdown": "AWS Account ID detected. While not considered sensitive information, it is important to use them and share them carefully. For that reason it would be preferrable avoiding to hardcoded it here. Instead, read the value from an environment variable or keep the value in a separate, private file.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-account-id.detected-aws-account-id)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "AWS Account ID detected. While not considered sensitive information, it is important to use them and share them carefully. For that reason it would be preferrable avoiding to hardcoded it here. Instead, read the value from an environment variable or keep the value in a separate, private file.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-aws-account-id.detected-aws-account-id",
"id": "generic.secrets.security.detected-aws-account-id.detected-aws-account-id",
"name": "generic.secrets.security.detected-aws-account-id.detected-aws-account-id",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-aws-account-id.detected-aws-account-id"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "AWS AppSync GraphQL Key detected"
},
"help": {
"markdown": "AWS AppSync GraphQL Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "AWS AppSync GraphQL Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key",
"id": "generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key",
"name": "generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "AWS Secret Access Key detected"
},
"help": {
"markdown": "AWS Secret Access Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "AWS Secret Access Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key",
"id": "generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key",
"name": "generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "AWS Session Token detected"
},
"help": {
"markdown": "AWS Session Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "AWS Session Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token",
"id": "generic.secrets.security.detected-aws-session-token.detected-aws-session-token",
"name": "generic.secrets.security.detected-aws-session-token.detected-aws-session-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-aws-session-token.detected-aws-session-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "bcrypt hash detected"
},
"help": {
"markdown": "bcrypt hash detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "bcrypt hash detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash",
"id": "generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash",
"name": "generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "CodeClimate detected"
},
"help": {
"markdown": "CodeClimate detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "CodeClimate detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate",
"id": "generic.secrets.security.detected-codeclimate.detected-codeclimate",
"name": "generic.secrets.security.detected-codeclimate.detected-codeclimate",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-codeclimate.detected-codeclimate"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "linux shadow file detected"
},
"help": {
"markdown": "linux shadow file detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "linux shadow file detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow",
"id": "generic.secrets.security.detected-etc-shadow.detected-etc-shadow",
"name": "generic.secrets.security.detected-etc-shadow.detected-etc-shadow",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-etc-shadow.detected-etc-shadow"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Facebook Access Token detected"
},
"help": {
"markdown": "Facebook Access Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Facebook Access Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token",
"id": "generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token",
"name": "generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Facebook OAuth detected"
},
"help": {
"markdown": "Facebook OAuth detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Facebook OAuth detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth",
"id": "generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth",
"name": "generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Generic API Key detected"
},
"help": {
"markdown": "Generic API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-api-key.detected-generic-api-key)\n - [https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json](https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json)\n",
"text": "Generic API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-generic-api-key.detected-generic-api-key",
"id": "generic.secrets.security.detected-generic-api-key.detected-generic-api-key",
"name": "generic.secrets.security.detected-generic-api-key.detected-generic-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-generic-api-key.detected-generic-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Generic Secret detected"
},
"help": {
"markdown": "Generic Secret detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Generic Secret detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret",
"id": "generic.secrets.security.detected-generic-secret.detected-generic-secret",
"name": "generic.secrets.security.detected-generic-secret.detected-generic-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-generic-secret.detected-generic-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "GitHub Token detected"
},
"help": {
"markdown": "GitHub Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-github-token.detected-github-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "GitHub Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-github-token.detected-github-token",
"id": "generic.secrets.security.detected-github-token.detected-github-token",
"name": "generic.secrets.security.detected-github-token.detected-github-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-github-token.detected-github-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Google OAuth Access Token detected"
},
"help": {
"markdown": "Google OAuth Access Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Google OAuth Access Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token",
"id": "generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token",
"name": "generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Heroku API Key detected"
},
"help": {
"markdown": "Heroku API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Heroku API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key",
"id": "generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key",
"name": "generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "HockeyApp detected"
},
"help": {
"markdown": "HockeyApp detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-hockeyapp.detected-hockeyapp)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "HockeyApp detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-hockeyapp.detected-hockeyapp",
"id": "generic.secrets.security.detected-hockeyapp.detected-hockeyapp",
"name": "generic.secrets.security.detected-hockeyapp.detected-hockeyapp",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-hockeyapp.detected-hockeyapp"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "JWT token detected"
},
"help": {
"markdown": "JWT token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token)\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n",
"text": "JWT token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token",
"id": "generic.secrets.security.detected-jwt-token.detected-jwt-token",
"name": "generic.secrets.security.detected-jwt-token.detected-jwt-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-321: Use of Hard-coded Cryptographic Key",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-jwt-token.detected-jwt-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Kolide API Key detected"
},
"help": {
"markdown": "Kolide API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Kolide API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key",
"id": "generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key",
"name": "generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "MailChimp API Key detected"
},
"help": {
"markdown": "MailChimp API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "MailChimp API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key",
"id": "generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key",
"name": "generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Mailgun API Key detected"
},
"help": {
"markdown": "Mailgun API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Mailgun API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key",
"id": "generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key",
"name": "generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "NPM registry authentication token detected"
},
"help": {
"markdown": "NPM registry authentication token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "NPM registry authentication token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token",
"id": "generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token",
"name": "generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Onfido live API Token detected"
},
"help": {
"markdown": "Onfido live API Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token)\n - [https://documentation.onfido.com/api/latest/#api-tokens](https://documentation.onfido.com/api/latest/#api-tokens)\n",
"text": "Onfido live API Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token",
"id": "generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token",
"name": "generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Outlook Team detected"
},
"help": {
"markdown": "Outlook Team detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Outlook Team detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team",
"id": "generic.secrets.security.detected-outlook-team.detected-outlook-team",
"name": "generic.secrets.security.detected-outlook-team.detected-outlook-team",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-outlook-team.detected-outlook-team"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "PayPal Braintree Access Token detected"
},
"help": {
"markdown": "PayPal Braintree Access Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "PayPal Braintree Access Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token",
"id": "generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token",
"name": "generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Something that looks like a PGP private key block is detected. This is a potential hardcoded secret that could be leaked if this code is committed. Instead, remove this code block from the commit."
},
"help": {
"markdown": "Something that looks like a PGP private key block is detected. This is a potential hardcoded secret that could be leaked if this code is committed. Instead, remove this code block from the commit.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Something that looks like a PGP private key block is detected. This is a potential hardcoded secret that could be leaked if this code is committed. Instead, remove this code block from the commit.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block",
"id": "generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block",
"name": "generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Picatic API Key detected"
},
"help": {
"markdown": "Picatic API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Picatic API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key",
"id": "generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key",
"name": "generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file."
},
"help": {
"markdown": "Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key",
"id": "generic.secrets.security.detected-private-key.detected-private-key",
"name": "generic.secrets.security.detected-private-key.detected-private-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-private-key.detected-private-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Sauce Token detected"
},
"help": {
"markdown": "Sauce Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sauce-token.detected-sauce-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Sauce Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-sauce-token.detected-sauce-token",
"id": "generic.secrets.security.detected-sauce-token.detected-sauce-token",
"name": "generic.secrets.security.detected-sauce-token.detected-sauce-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-sauce-token.detected-sauce-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "SendGrid API Key detected"
},
"help": {
"markdown": "SendGrid API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "SendGrid API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key",
"id": "generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key",
"name": "generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Slack Token detected"
},
"help": {
"markdown": "Slack Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-slack-token.detected-slack-token)\n - [https://github.com/davidburkitt/python-secret-scanner/blob/335a1f6dab8de59cf39063e57aea39a58951e939/patterns.txt#L58](https://github.com/davidburkitt/python-secret-scanner/blob/335a1f6dab8de59cf39063e57aea39a58951e939/patterns.txt#L58)\n",
"text": "Slack Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-slack-token.detected-slack-token",
"id": "generic.secrets.security.detected-slack-token.detected-slack-token",
"name": "generic.secrets.security.detected-slack-token.detected-slack-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-slack-token.detected-slack-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Slack Webhook detected"
},
"help": {
"markdown": "Slack Webhook detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-slack-webhook.detected-slack-webhook)\n - [https://api.slack.com/messaging/webhooks](https://api.slack.com/messaging/webhooks)\n",
"text": "Slack Webhook detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-slack-webhook.detected-slack-webhook",
"id": "generic.secrets.security.detected-slack-webhook.detected-slack-webhook",
"name": "generic.secrets.security.detected-slack-webhook.detected-slack-webhook",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-slack-webhook.detected-slack-webhook"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Snyk API Key detected"
},
"help": {
"markdown": "Snyk API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Snyk API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key",
"id": "generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key",
"name": "generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "SoftLayer API Key detected"
},
"help": {
"markdown": "SoftLayer API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "SoftLayer API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key",
"id": "generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key",
"name": "generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "SonarQube Docs API Key detected"
},
"help": {
"markdown": "SonarQube Docs API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "SonarQube Docs API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key",
"id": "generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key",
"name": "generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Square Access Token detected"
},
"help": {
"markdown": "Square Access Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-square-access-token.detected-square-access-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Square Access Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-square-access-token.detected-square-access-token",
"id": "generic.secrets.security.detected-square-access-token.detected-square-access-token",
"name": "generic.secrets.security.detected-square-access-token.detected-square-access-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-square-access-token.detected-square-access-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Square OAuth Secret detected"
},
"help": {
"markdown": "Square OAuth Secret detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret)\n - [https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py](https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py)\n",
"text": "Square OAuth Secret detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret",
"id": "generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret",
"name": "generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "SSH Password detected"
},
"help": {
"markdown": "SSH Password detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-ssh-password.detected-ssh-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "SSH Password detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-ssh-password.detected-ssh-password",
"id": "generic.secrets.security.detected-ssh-password.detected-ssh-password",
"name": "generic.secrets.security.detected-ssh-password.detected-ssh-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-ssh-password.detected-ssh-password"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Stripe API Key detected"
},
"help": {
"markdown": "Stripe API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Stripe API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key",
"id": "generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key",
"name": "generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Stripe Restricted API Key detected"
},
"help": {
"markdown": "Stripe Restricted API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Stripe Restricted API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key",
"id": "generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key",
"name": "generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Telegram Bot API Key detected"
},
"help": {
"markdown": "Telegram Bot API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Telegram Bot API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key",
"id": "generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key",
"name": "generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Twilio API Key detected"
},
"help": {
"markdown": "Twilio API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Twilio API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key",
"id": "generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key",
"name": "generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detects potential Google Maps API keys in code"
},
"help": {
"markdown": "Detects potential Google Maps API keys in code\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak)\n - [https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e](https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e)\n",
"text": "Detects potential Google Maps API keys in code\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak",
"id": "generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak",
"name": "generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak",
"properties": {
"precision": "very-high",
"tags": [
"CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory",
"MEDIUM CONFIDENCE",
"OWASP-A3:2017 Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters."
},
"help": {
"markdown": "This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters)\n - [https://trojansource.codes/](https://trojansource.codes/)\n",
"text": "This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters",
"id": "generic.unicode.security.bidi.contains-bidirectional-characters",
"name": "generic.unicode.security.bidi.contains-bidirectional-characters",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.unicode.security.bidi.contains-bidirectional-characters"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your \u003cscript\u003e and \u003clink\u003e tags pointing to CDN content to ensure the resources have not been compromised. A crossorigin attribute should also be added. For a more thorough explanation along with explicit instructions on remediating, follow the directions from Mozilla here: https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/"
},
"help": {
"markdown": "Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your \u003cscript\u003e and \u003clink\u003e tags pointing to CDN content to ensure the resources have not been compromised. A crossorigin attribute should also be added. For a more thorough explanation along with explicit instructions on remediating, follow the directions from Mozilla here: https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs)\n - [https://cwe.mitre.org/data/definitions/352.html](https://cwe.mitre.org/data/definitions/352.html)\n - [https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/](https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/)\n",
"text": "Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your \u003cscript\u003e and \u003clink\u003e tags pointing to CDN content to ensure the resources have not been compromised. A crossorigin attribute should also be added. For a more thorough explanation along with explicit instructions on remediating, follow the directions from Mozilla here: https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs",
"id": "generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs",
"name": "generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs",
"properties": {
"precision": "very-high",
"tags": [
"CWE-346: Origin Validation Error",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on \u003capex:outputText\u003e tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts."
},
"help": {
"markdown": "To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on \u003capex:outputText\u003e tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param)\n - [https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm](https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm)\n",
"text": "To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on \u003capex:outputText\u003e tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param",
"id": "generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param",
"name": "generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Visualforce Pages must have the cspHeader attribute set to true. This attribute is available in API version 55 or higher."
},
"help": {
"markdown": "Visualforce Pages must have the cspHeader attribute set to true. This attribute is available in API version 55 or higher.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute)\n - [https://help.salesforce.com/s/articleView?id=sf.csp_trusted_sites.htm\u0026type=5](https://help.salesforce.com/s/articleView?id=sf.csp_trusted_sites.htm\u0026type=5)\n",
"text": "Visualforce Pages must have the cspHeader attribute set to true. This attribute is available in API version 55 or higher.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute",
"id": "generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute",
"name": "generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"HIGH CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Visualforce Pages must use API version 55 or higher for required use of the cspHeader attribute set to true."
},
"help": {
"markdown": "Visualforce Pages must use API version 55 or higher for required use of the cspHeader attribute set to true.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version)\n - [https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_pages.htm](https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_pages.htm)\n",
"text": "Visualforce Pages must use API version 55 or higher for required use of the cspHeader attribute set to true.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version",
"id": "generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version",
"name": "generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"HIGH CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls."
},
"help": {
"markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.aws-lambda.security.database-sqli.database-sqli)\n - [https://pkg.go.dev/database/sql#DB.Query](https://pkg.go.dev/database/sql#DB.Query)\n",
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.aws-lambda.security.database-sqli.database-sqli",
"id": "go.aws-lambda.security.database-sqli.database-sqli",
"name": "go.aws-lambda.security.database-sqli.database-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.aws-lambda.security.database-sqli.database-sqli"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."
},
"help": {
"markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n",
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"id": "go.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"name": "go.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.aws-lambda.security.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Options struct."
},
"help": {
"markdown": "A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Options struct.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly)\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69)\n",
"text": "A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Options struct.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly",
"id": "go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly",
"name": "go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct."
},
"help": {
"markdown": "A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure)\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69)\n",
"text": "A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure",
"id": "go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure",
"name": "go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security."
},
"help": {
"markdown": "Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone)\n - [https://pkg.go.dev/github.com/gorilla/sessions#Options](https://pkg.go.dev/github.com/gorilla/sessions#Options)\n",
"text": "Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone",
"id": "go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone",
"name": "go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1275: Sensitive Cookie with Improper SameSite Attribute",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \"gorilla/websocket\" documentation: \"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\""
},
"help": {
"markdown": "The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \"gorilla/websocket\" documentation: \"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\"\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check)\n - [https://pkg.go.dev/github.com/gorilla/websocket#Upgrader](https://pkg.go.dev/github.com/gorilla/websocket#Upgrader)\n",
"text": "The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \"gorilla/websocket\" documentation: \"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\"\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check",
"id": "go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check",
"name": "go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found an insecure gRPC connection using \u0027grpc.WithInsecure()\u0027. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the \u0027grpc.WithTransportCredentials()\u0027 function. You can create a create credentials using a \u0027tls.Config{}\u0027 struct with \u0027credentials.NewTLS()\u0027. The final fix looks like this: \u0027grpc.WithTransportCredentials(credentials.NewTLS(\u003cconfig\u003e))\u0027."
},
"help": {
"markdown": "Found an insecure gRPC connection using \u0027grpc.WithInsecure()\u0027. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the \u0027grpc.WithTransportCredentials()\u0027 function. You can create a create credentials using a \u0027tls.Config{}\u0027 struct with \u0027credentials.NewTLS()\u0027. The final fix looks like this: \u0027grpc.WithTransportCredentials(credentials.NewTLS(\u003cconfig\u003e))\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection)\n - [https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption](https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption)\n",
"text": "Found an insecure gRPC connection using \u0027grpc.WithInsecure()\u0027. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the \u0027grpc.WithTransportCredentials()\u0027 function. You can create a create credentials using a \u0027tls.Config{}\u0027 struct with \u0027credentials.NewTLS()\u0027. The final fix looks like this: \u0027grpc.WithTransportCredentials(credentials.NewTLS(\u003cconfig\u003e))\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection",
"id": "go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection",
"name": "go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-300: Channel Accessible by Non-Endpoint",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found an insecure gRPC server without \u0027grpc.Creds()\u0027 or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using \u0027credentials.NewServerTLSFromFile(\"cert.pem\", \"cert.key\")\u0027."
},
"help": {
"markdown": "Found an insecure gRPC server without \u0027grpc.Creds()\u0027 or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using \u0027credentials.NewServerTLSFromFile(\"cert.pem\", \"cert.key\")\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection)\n - [https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption](https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption)\n",
"text": "Found an insecure gRPC server without \u0027grpc.Creds()\u0027 or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using \u0027credentials.NewServerTLSFromFile(\"cert.pem\", \"cert.key\")\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection",
"id": "go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection",
"name": "go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-300: Channel Accessible by Non-Endpoint",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the decoding of a JWT token without a verify step. Don\u0027t use `ParseUnverified` unless you know what you\u0027re doing This method parses the token but doesn\u0027t validate the signature. It\u0027s only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it."
},
"help": {
"markdown": "Detected the decoding of a JWT token without a verify step. Don\u0027t use `ParseUnverified` unless you know what you\u0027re doing This method parses the token but doesn\u0027t validate the signature. It\u0027s only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
"text": "Detected the decoding of a JWT token without a verify step. Don\u0027t use `ParseUnverified` unless you know what you\u0027re doing This method parses the token but doesn\u0027t validate the signature. It\u0027s only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified",
"id": "go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified",
"name": "go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified",
"properties": {
"precision": "very-high",
"tags": [
"CWE-345: Insufficient Verification of Data Authenticity",
"MEDIUM CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027."
},
"help": {
"markdown": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm",
"id": "go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm",
"name": "go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.jwt-go.security.jwt.hardcoded-jwt-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.jwt-go.security.jwt.hardcoded-jwt-key",
"id": "go.jwt-go.security.jwt.hardcoded-jwt-key",
"name": "go.jwt-go.security.jwt.hardcoded-jwt-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.jwt-go.security.jwt.hardcoded-jwt-key"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The package `net/http/cgi` is on the import blocklist. The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` or a web framework to build a web application instead."
},
"help": {
"markdown": "The package `net/http/cgi` is on the import blocklist. The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` or a web framework to build a web application instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.bad_imports.insecure-module-used)\n - [https://godoc.org/golang.org/x/crypto/sha3](https://godoc.org/golang.org/x/crypto/sha3)\n",
"text": "The package `net/http/cgi` is on the import blocklist. The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` or a web framework to build a web application instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.bad_imports.insecure-module-used",
"id": "go.lang.security.audit.crypto.bad_imports.insecure-module-used",
"name": "go.lang.security.audit.crypto.bad_imports.insecure-module-used",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.bad_imports.insecure-module-used"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Disabled host key verification detected. This allows man-in-the-middle attacks. Use the \u0027golang.org/x/crypto/ssh/knownhosts\u0027 package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it."
},
"help": {
"markdown": "Disabled host key verification detected. This allows man-in-the-middle attacks. Use the \u0027golang.org/x/crypto/ssh/knownhosts\u0027 package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key)\n - [https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/](https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/)\n - [https://gist.github.com/Skarlso/34321a230cf0245018288686c9e70b2d](https://gist.github.com/Skarlso/34321a230cf0245018288686c9e70b2d)\n",
"text": "Disabled host key verification detected. This allows man-in-the-middle attacks. Use the \u0027golang.org/x/crypto/ssh/knownhosts\u0027 package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key",
"id": "go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key",
"name": "go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-322: Key Exchange without Entity Authentication",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Do not use `math/rand`. Use `crypto/rand` instead."
},
"help": {
"markdown": "Do not use `math/rand`. Use `crypto/rand` instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation)\n",
"text": "Do not use `math/rand`. Use `crypto/rand` instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used",
"id": "go.lang.security.audit.crypto.math_random.math-random-used",
"name": "go.lang.security.audit.crypto.math_random.math-random-used",
"properties": {
"precision": "very-high",
"tags": [
"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.math_random.math-random-used"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "`MinVersion` is missing from this TLS configuration. By default, as of Go 1.22, TLS 1.2 is currently used as the minimum. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13\u0027 to the TLS configuration to bump the minimum version to TLS 1.3."
},
"help": {
"markdown": "`MinVersion` is missing from this TLS configuration. By default, as of Go 1.22, TLS 1.2 is currently used as the minimum. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13\u0027 to the TLS configuration to bump the minimum version to TLS 1.3.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion)\n - [https://go.dev/doc/go1.22#minor_library_changes](https://go.dev/doc/go1.22#minor_library_changes)\n - [https://pkg.go.dev/crypto/tls#:~:text=MinVersion](https://pkg.go.dev/crypto/tls#:~:text=MinVersion)\n - [https://www.us-cert.gov/ncas/alerts/TA14-290A](https://www.us-cert.gov/ncas/alerts/TA14-290A)\n",
"text": "`MinVersion` is missing from this TLS configuration. By default, as of Go 1.22, TLS 1.2 is currently used as the minimum. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13\u0027 to the TLS configuration to bump the minimum version to TLS 1.3.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion",
"id": "go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion",
"name": "go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security."
},
"help": {
"markdown": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.sha224-hash.sha224-hash)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\n",
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.sha224-hash.sha224-hash",
"id": "go.lang.security.audit.crypto.sha224-hash.sha224-hash",
"name": "go.lang.security.audit.crypto.sha224-hash.sha224-hash",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.sha224-hash.sha224-hash"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use \u0027tls.VersionTLS13\u0027."
},
"help": {
"markdown": "SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use \u0027tls.VersionTLS13\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure)\n - [https://golang.org/doc/go1.14#crypto/tls](https://golang.org/doc/go1.14#crypto/tls)\n - [https://www.us-cert.gov/ncas/alerts/TA14-290A](https://www.us-cert.gov/ncas/alerts/TA14-290A)\n",
"text": "SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use \u0027tls.VersionTLS13\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure",
"id": "go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure",
"name": "go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an insecure CipherSuite via the \u0027tls\u0027 module. This suite is considered weak. Use the function \u0027tls.CipherSuites()\u0027 to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use."
},
"help": {
"markdown": "Detected an insecure CipherSuite via the \u0027tls\u0027 module. This suite is considered weak. Use the function \u0027tls.CipherSuites()\u0027 to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher)\n - [https://golang.org/pkg/crypto/tls/#InsecureCipherSuites](https://golang.org/pkg/crypto/tls/#InsecureCipherSuites)\n",
"text": "Detected an insecure CipherSuite via the \u0027tls\u0027 module. This suite is considered weak. Use the function \u0027tls.CipherSuites()\u0027 to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher",
"id": "go.lang.security.audit.crypto.tls.tls-with-insecure-cipher",
"name": "go.lang.security.audit.crypto.tls.tls-with-insecure-cipher",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.tls.tls-with-insecure-cipher"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead."
},
"help": {
"markdown": "Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES",
"id": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES",
"name": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
},
"help": {
"markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5",
"id": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5",
"name": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead."
},
"help": {
"markdown": "Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4",
"id": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4",
"name": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
},
"help": {
"markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1",
"id": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1",
"name": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "RSA keys should be at least 2048 bits"
},
"help": {
"markdown": "RSA keys should be at least 2048 bits\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n",
"text": "RSA keys should be at least 2048 bits\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key",
"id": "go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key",
"name": "go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected non-static command inside Write. Audit the input to \u0027$CW.Write\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
},
"help": {
"markdown": "Detected non-static command inside Write. Audit the input to \u0027$CW.Write\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected non-static command inside Write. Audit the input to \u0027$CW.Write\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write",
"id": "go.lang.security.audit.dangerous-command-write.dangerous-command-write",
"name": "go.lang.security.audit.dangerous-command-write.dangerous-command-write",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.dangerous-command-write.dangerous-command-write"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected non-static command inside exec.Cmd. Audit the input to \u0027exec.Cmd\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
},
"help": {
"markdown": "Detected non-static command inside exec.Cmd. Audit the input to \u0027exec.Cmd\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected non-static command inside exec.Cmd. Audit the input to \u0027exec.Cmd\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd",
"id": "go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd",
"name": "go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected non-static command inside Command. Audit the input to \u0027exec.Command\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
},
"help": {
"markdown": "Detected non-static command inside Command. Audit the input to \u0027exec.Command\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-command.dangerous-exec-command)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected non-static command inside Command. Audit the input to \u0027exec.Command\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-command.dangerous-exec-command",
"id": "go.lang.security.audit.dangerous-exec-command.dangerous-exec-command",
"name": "go.lang.security.audit.dangerous-exec-command.dangerous-exec-command",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.dangerous-exec-command.dangerous-exec-command"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected non-static command inside Exec. Audit the input to \u0027syscall.Exec\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
},
"help": {
"markdown": "Detected non-static command inside Exec. Audit the input to \u0027syscall.Exec\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected non-static command inside Exec. Audit the input to \u0027syscall.Exec\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec",
"id": "go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec",
"name": "go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "String-formatted SQL query detected. This could lead to SQL injection if the string is not sanitized properly. Audit this call to ensure the SQL is not manipulable by external data."
},
"help": {
"markdown": "String-formatted SQL query detected. This could lead to SQL injection if the string is not sanitized properly. Audit this call to ensure the SQL is not manipulable by external data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.database.string-formatted-query.string-formatted-query)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "String-formatted SQL query detected. This could lead to SQL injection if the string is not sanitized properly. Audit this call to ensure the SQL is not manipulable by external data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.database.string-formatted-query.string-formatted-query",
"id": "go.lang.security.audit.database.string-formatted-query.string-formatted-query",
"name": "go.lang.security.audit.database.string-formatted-query.string-formatted-query",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.database.string-formatted-query.string-formatted-query"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package."
},
"help": {
"markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://pkg.go.dev/golang.org/x/crypto/bcrypt](https://pkg.go.dev/golang.org/x/crypto/bcrypt)\n",
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.md5-used-as-password.md5-used-as-password",
"id": "go.lang.security.audit.md5-used-as-password.md5-used-as-password",
"name": "go.lang.security.audit.md5-used-as-password.md5-used-as-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.md5-used-as-password.md5-used-as-password"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string."
},
"help": {
"markdown": "Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces",
"id": "go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces",
"name": "go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"HIGH CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Cookie."
},
"help": {
"markdown": "A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Cookie.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly)\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go)\n - [https://golang.org/src/net/http/cookie.go](https://golang.org/src/net/http/cookie.go)\n",
"text": "A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Cookie.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly",
"id": "go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly",
"name": "go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct."
},
"help": {
"markdown": "A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure)\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go)\n - [https://golang.org/src/net/http/cookie.go](https://golang.org/src/net/http/cookie.go)\n",
"text": "A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure",
"id": "go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure",
"name": "go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for \u0027$TRACE\u0027. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined."
},
"help": {
"markdown": "Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for \u0027$TRACE\u0027. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace)\n - [https://github.com/returntocorp/semgrep-rules/issues/518](https://github.com/returntocorp/semgrep-rules/issues/518)\n",
"text": "Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for \u0027$TRACE\u0027. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace",
"id": "go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace",
"name": "go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace",
"properties": {
"precision": "very-high",
"tags": [
"CWE-913: Improper Control of Dynamically-Managed Code Resources",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found a formatted template string passed to \u0027template.HTML()\u0027. \u0027template.HTML()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability."
},
"help": {
"markdown": "Found a formatted template string passed to \u0027template.HTML()\u0027. \u0027template.HTML()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string)\n - [https://golang.org/pkg/html/template/#HTML](https://golang.org/pkg/html/template/#HTML)\n",
"text": "Found a formatted template string passed to \u0027template.HTML()\u0027. \u0027template.HTML()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string",
"id": "go.lang.security.audit.net.formatted-template-string.formatted-template-string",
"name": "go.lang.security.audit.net.formatted-template-string.formatted-template-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.formatted-template-string.formatted-template-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The profiling \u0027pprof\u0027 endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import \"net/http/pprof\"`. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation."
},
"help": {
"markdown": "The profiling \u0027pprof\u0027 endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import \"net/http/pprof\"`. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.pprof.pprof-debug-exposure)\n - [https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/](https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/)\n",
"text": "The profiling \u0027pprof\u0027 endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import \"net/http/pprof\"`. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.pprof.pprof-debug-exposure",
"id": "go.lang.security.audit.net.pprof.pprof-debug-exposure",
"name": "go.lang.security.audit.net.pprof.pprof-debug-exposure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-489: Active Debug Code",
"LOW CONFIDENCE",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.pprof.pprof-debug-exposure"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found a formatted template string passed to \u0027template. HTMLAttr()\u0027. \u0027template.HTMLAttr()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template or validate and sanitize the data before passing it into the template."
},
"help": {
"markdown": "Found a formatted template string passed to \u0027template. HTMLAttr()\u0027. \u0027template.HTMLAttr()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template or validate and sanitize the data before passing it into the template.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr)\n - [https://golang.org/pkg/html/template/#HTMLAttr](https://golang.org/pkg/html/template/#HTMLAttr)\n",
"text": "Found a formatted template string passed to \u0027template. HTMLAttr()\u0027. \u0027template.HTMLAttr()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template or validate and sanitize the data before passing it into the template.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr",
"id": "go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr",
"name": "go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found a formatted template string passed to \u0027template.JS()\u0027. \u0027template.JS()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template."
},
"help": {
"markdown": "Found a formatted template string passed to \u0027template.JS()\u0027. \u0027template.JS()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js)\n - [https://golang.org/pkg/html/template/#JS](https://golang.org/pkg/html/template/#JS)\n",
"text": "Found a formatted template string passed to \u0027template.JS()\u0027. \u0027template.JS()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js",
"id": "go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js",
"name": "go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found a formatted template string passed to \u0027template.URL()\u0027. \u0027template.URL()\u0027 does not escape contents, and this could result in XSS (cross-site scripting) and therefore confidential data being stolen. Sanitize data coming into this function or make sure that no user-controlled input is coming into the function."
},
"help": {
"markdown": "Found a formatted template string passed to \u0027template.URL()\u0027. \u0027template.URL()\u0027 does not escape contents, and this could result in XSS (cross-site scripting) and therefore confidential data being stolen. Sanitize data coming into this function or make sure that no user-controlled input is coming into the function.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url)\n - [https://golang.org/pkg/html/template/#URL](https://golang.org/pkg/html/template/#URL)\n",
"text": "Found a formatted template string passed to \u0027template.URL()\u0027. \u0027template.URL()\u0027 does not escape contents, and this could result in XSS (cross-site scripting) and therefore confidential data being stolen. Sanitize data coming into this function or make sure that no user-controlled input is coming into the function.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url",
"id": "go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url",
"name": "go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found an HTTP server without TLS. Use \u0027http.ListenAndServeTLS\u0027 instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information."
},
"help": {
"markdown": "Found an HTTP server without TLS. Use \u0027http.ListenAndServeTLS\u0027 instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls)\n - [https://golang.org/pkg/net/http/#ListenAndServeTLS](https://golang.org/pkg/net/http/#ListenAndServeTLS)\n",
"text": "Found an HTTP server without TLS. Use \u0027http.ListenAndServeTLS\u0027 instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls",
"id": "go.lang.security.audit.net.use-tls.use-tls",
"name": "go.lang.security.audit.net.use-tls.use-tls",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.use-tls.use-tls"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped."
},
"help": {
"markdown": "Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf",
"id": "go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf",
"name": "go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "\u0027reflect.MakeFunc\u0027 detected. This will sidestep protections that are normally afforded by Go\u0027s type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability."
},
"help": {
"markdown": "\u0027reflect.MakeFunc\u0027 detected. This will sidestep protections that are normally afforded by Go\u0027s type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.reflect-makefunc.reflect-makefunc)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "\u0027reflect.MakeFunc\u0027 detected. This will sidestep protections that are normally afforded by Go\u0027s type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.reflect-makefunc.reflect-makefunc",
"id": "go.lang.security.audit.reflect-makefunc.reflect-makefunc",
"name": "go.lang.security.audit.reflect-makefunc.reflect-makefunc",
"properties": {
"precision": "very-high",
"tags": [
"CWE-913: Improper Control of Dynamically-Managed Code Resources",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.reflect-makefunc.reflect-makefunc"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a \"database/sql\" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls."
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a \"database/sql\" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.gosql-sqli.gosql-sqli)\n - [https://golang.org/pkg/database/sql/](https://golang.org/pkg/database/sql/)\n",
"text": "Detected string concatenation with a non-literal variable in a \"database/sql\" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.sqli.gosql-sqli.gosql-sqli",
"id": "go.lang.security.audit.sqli.gosql-sqli.gosql-sqli",
"name": "go.lang.security.audit.sqli.gosql-sqli.gosql-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.sqli.gosql-sqli.gosql-sqli"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a go-pg ORM SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, do not use strings concatenated with user-controlled input. Instead, use parameterized statements."
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a go-pg ORM SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, do not use strings concatenated with user-controlled input. Instead, use parameterized statements.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli)\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\n",
"text": "Detected string concatenation with a non-literal variable in a go-pg ORM SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, do not use strings concatenated with user-controlled input. Instead, use parameterized statements.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli",
"id": "go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli",
"name": "go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: \u0027(SELECT ? FROM table, data1)\u0027"
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: \u0027(SELECT ? FROM table, data1)\u0027\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli)\n - [https://pg.uptrace.dev/](https://pg.uptrace.dev/)\n - [https://pkg.go.dev/github.com/go-pg/pg/v10](https://pkg.go.dev/github.com/go-pg/pg/v10)\n",
"text": "Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: \u0027(SELECT ? FROM table, data1)\u0027\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli",
"id": "go.lang.security.audit.sqli.pg-sqli.pg-sqli",
"name": "go.lang.security.audit.sqli.pg-sqli.pg-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.sqli.pg-sqli.pg-sqli"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)"
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli)\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\n",
"text": "Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli",
"id": "go.lang.security.audit.sqli.pgx-sqli.pgx-sqli",
"name": "go.lang.security.audit.sqli.pgx-sqli.pgx-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.sqli.pgx-sqli.pgx-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If an attacker can supply values that the application then uses to determine which method or field to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner."
},
"help": {
"markdown": "If an attacker can supply values that the application then uses to determine which method or field to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "If an attacker can supply values that the application then uses to determine which method or field to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name",
"id": "go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name",
"name": "go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name",
"properties": {
"precision": "very-high",
"tags": [
"CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "When working with web applications that involve rendering user-generated content, it\u0027s important to properly escape any HTML content to prevent Cross-Site Scripting (XSS) attacks. In Go, the `text/template` package does not automatically escape HTML content, which can leave your application vulnerable to these types of attacks. To mitigate this risk, it\u0027s recommended to use the `html/template` package instead, which provides built-in functionality for HTML escaping. By using `html/template` to render your HTML content, you can help to ensure that your web application is more secure and less susceptible to XSS vulnerabilities."
},
"help": {
"markdown": "When working with web applications that involve rendering user-generated content, it\u0027s important to properly escape any HTML content to prevent Cross-Site Scripting (XSS) attacks. In Go, the `text/template` package does not automatically escape HTML content, which can leave your application vulnerable to these types of attacks. To mitigate this risk, it\u0027s recommended to use the `html/template` package instead, which provides built-in functionality for HTML escaping. By using `html/template` to render your HTML content, you can help to ensure that your web application is more secure and less susceptible to XSS vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.import-text-template.import-text-template)\n - [https://www.veracode.com/blog/secure-development/use-golang-these-mistakes-could-compromise-your-apps-security](https://www.veracode.com/blog/secure-development/use-golang-these-mistakes-could-compromise-your-apps-security)\n",
"text": "When working with web applications that involve rendering user-generated content, it\u0027s important to properly escape any HTML content to prevent Cross-Site Scripting (XSS) attacks. In Go, the `text/template` package does not automatically escape HTML content, which can leave your application vulnerable to these types of attacks. To mitigate this risk, it\u0027s recommended to use the `html/template` package instead, which provides built-in functionality for HTML escaping. By using `html/template` to render your HTML content, you can help to ensure that your web application is more secure and less susceptible to XSS vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.import-text-template.import-text-template",
"id": "go.lang.security.audit.xss.import-text-template.import-text-template",
"name": "go.lang.security.audit.xss.import-text-template.import-text-template",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.xss.import-text-template.import-text-template"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected directly writing or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package and render data using \u0027template.Execute()\u0027."
},
"help": {
"markdown": "Detected directly writing or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package and render data using \u0027template.Execute()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n",
"text": "Detected directly writing or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package and render data using \u0027template.Execute()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter",
"id": "go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter",
"name": "go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected \u0027Fprintf\u0027 or similar writing to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users."
},
"help": {
"markdown": "Detected \u0027Fprintf\u0027 or similar writing to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n",
"text": "Detected \u0027Fprintf\u0027 or similar writing to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter",
"id": "go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter",
"name": "go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected template variable interpolation in an HTML tag. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over HTML but without the need to use escaped characters. Use explicit tags instead."
},
"help": {
"markdown": "Detected template variable interpolation in an HTML tag. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over HTML but without the need to use escaped characters. Use explicit tags instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag)\n - [https://github.com/golang/go/issues/19669](https://github.com/golang/go/issues/19669)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n",
"text": "Detected template variable interpolation in an HTML tag. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over HTML but without the need to use escaped characters. Use explicit tags instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag",
"id": "go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag",
"name": "go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped."
},
"help": {
"markdown": "Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string)\n - [https://github.com/golang/go/issues/9200#issuecomment-66100328](https://github.com/golang/go/issues/9200#issuecomment-66100328)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n",
"text": "Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string",
"id": "go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string",
"name": "go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected \u0027io.WriteString()\u0027 writing directly to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users."
},
"help": {
"markdown": "Detected \u0027io.WriteString()\u0027 writing directly to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n - [https://golang.org/pkg/io/#WriteString](https://golang.org/pkg/io/#WriteString)\n",
"text": "Detected \u0027io.WriteString()\u0027 writing directly to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter",
"id": "go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter",
"name": "go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected \u0027printf\u0027 or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users."
},
"help": {
"markdown": "Detected \u0027printf\u0027 or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n",
"text": "Detected \u0027printf\u0027 or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter",
"id": "go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter",
"name": "go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Semgrep could not determine that the argument to \u0027template.HTML()\u0027 is a constant. \u0027template.HTML()\u0027 and similar does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability. Instead, do not use this function and use \u0027template.Execute()\u0027."
},
"help": {
"markdown": "Semgrep could not determine that the argument to \u0027template.HTML()\u0027 is a constant. \u0027template.HTML()\u0027 and similar does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability. Instead, do not use this function and use \u0027template.Execute()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type)\n - [https://golang.org/pkg/html/template/#HTML](https://golang.org/pkg/html/template/#HTML)\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/vulnerability/xss/xss.go#L33](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/vulnerability/xss/xss.go#L33)\n",
"text": "Semgrep could not determine that the argument to \u0027template.HTML()\u0027 is a constant. \u0027template.HTML()\u0027 and similar does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability. Instead, do not use this function and use \u0027template.Execute()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type",
"id": "go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type",
"name": "go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "File creation in shared tmp directory without using `io.CreateTemp`."
},
"help": {
"markdown": "File creation in shared tmp directory without using `io.CreateTemp`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.bad_tmp.bad-tmp-file-creation)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://pkg.go.dev/io/ioutil#TempFile](https://pkg.go.dev/io/ioutil#TempFile)\n - [https://pkg.go.dev/os#CreateTemp](https://pkg.go.dev/os#CreateTemp)\n - [https://github.com/securego/gosec/blob/5fd2a370447223541cddb35da8d1bc707b7bb153/rules/tempfiles.go#L67](https://github.com/securego/gosec/blob/5fd2a370447223541cddb35da8d1bc707b7bb153/rules/tempfiles.go#L67)\n",
"text": "File creation in shared tmp directory without using `io.CreateTemp`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.bad_tmp.bad-tmp-file-creation",
"id": "go.lang.security.bad_tmp.bad-tmp-file-creation",
"name": "go.lang.security.bad_tmp.bad-tmp-file-creation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-377: Insecure Temporary File",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.bad_tmp.bad-tmp-file-creation"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a possible denial-of-service via a zip bomb attack. By limiting the max bytes read, you can mitigate this attack. `io.CopyN()` can specify a size. "
},
"help": {
"markdown": "Detected a possible denial-of-service via a zip bomb attack. By limiting the max bytes read, you can mitigate this attack. `io.CopyN()` can specify a size. \n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb)\n - [https://golang.org/pkg/io/#CopyN](https://golang.org/pkg/io/#CopyN)\n - [https://github.com/securego/gosec/blob/master/rules/decompression-bomb.go](https://github.com/securego/gosec/blob/master/rules/decompression-bomb.go)\n",
"text": "Detected a possible denial-of-service via a zip bomb attack. By limiting the max bytes read, you can mitigate this attack. `io.CopyN()` can specify a size. \n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb",
"id": "go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb",
"name": "go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb",
"properties": {
"precision": "very-high",
"tags": [
"CWE-400: Uncontrolled Resource Consumption",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "`Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: `filepath.FromSlash(path.Clean(\"/\"+strings.Trim(req.URL.Path, \"/\")))` However, a better solution is using the `SecureJoin` function in the package `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme."
},
"help": {
"markdown": "`Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: `filepath.FromSlash(path.Clean(\"/\"+strings.Trim(req.URL.Path, \"/\")))` However, a better solution is using the `SecureJoin` function in the package `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.filepath-clean-misuse.filepath-clean-misuse)\n - [https://pkg.go.dev/path#Clean](https://pkg.go.dev/path#Clean)\n - [http://technosophos.com/2016/03/31/go-quickly-cleaning-filepaths.html](http://technosophos.com/2016/03/31/go-quickly-cleaning-filepaths.html)\n - [https://labs.detectify.com/2021/12/15/zero-day-path-traversal-grafana/](https://labs.detectify.com/2021/12/15/zero-day-path-traversal-grafana/)\n - [https://dzx.cz/2021/04/02/go_path_traversal/](https://dzx.cz/2021/04/02/go_path_traversal/)\n - [https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme](https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme)\n",
"text": "`Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: `filepath.FromSlash(path.Clean(\"/\"+strings.Trim(req.URL.Path, \"/\")))` However, a better solution is using the `SecureJoin` function in the package `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.filepath-clean-misuse.filepath-clean-misuse",
"id": "go.lang.security.filepath-clean-misuse.filepath-clean-misuse",
"name": "go.lang.security.filepath-clean-misuse.filepath-clean-misuse",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.filepath-clean-misuse.filepath-clean-misuse"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "An HTTP redirect was found to be crafted from user-input `$REQUEST`. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist."
},
"help": {
"markdown": "An HTTP redirect was found to be crafted from user-input `$REQUEST`. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.open-redirect.open-redirect)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unvalidated_redirects___forwards/open_redirect_go_lang.html](https://knowledge-base.secureflag.com/vulnerabilities/unvalidated_redirects___forwards/open_redirect_go_lang.html)\n",
"text": "An HTTP redirect was found to be crafted from user-input `$REQUEST`. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.injection.open-redirect.open-redirect",
"id": "go.lang.security.injection.open-redirect.open-redirect",
"name": "go.lang.security.injection.open-redirect.open-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.injection.open-redirect.open-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely."
},
"help": {
"markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.raw-html-format.raw-html-format)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n",
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.injection.raw-html-format.raw-html-format",
"id": "go.lang.security.injection.raw-html-format.raw-html-format",
"name": "go.lang.security.injection.raw-html-format.raw-html-format",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.injection.raw-html-format.raw-html-format"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\"SELECT * FROM t WHERE id = ?\", id)`) or a safe library."
},
"help": {
"markdown": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\"SELECT * FROM t WHERE id = ?\", id)`) or a safe library.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://golang.org/doc/database/sql-injection](https://golang.org/doc/database/sql-injection)\n - [https://www.stackhawk.com/blog/golang-sql-injection-guide-examples-and-prevention/](https://www.stackhawk.com/blog/golang-sql-injection-guide-examples-and-prevention/)\n",
"text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\"SELECT * FROM t WHERE id = ?\", id)`) or a safe library.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.injection.tainted-sql-string.tainted-sql-string",
"id": "go.lang.security.injection.tainted-sql-string.tainted-sql-string",
"name": "go.lang.security.injection.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.injection.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist."
},
"help": {
"markdown": "A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.tainted-url-host.tainted-url-host)\n - [https://goteleport.com/blog/ssrf-attacks/](https://goteleport.com/blog/ssrf-attacks/)\n",
"text": "A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.injection.tainted-url-host.tainted-url-host",
"id": "go.lang.security.injection.tainted-url-host.tainted-url-host",
"name": "go.lang.security.injection.tainted-url-host.tainted-url-host",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"HIGH CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.injection.tainted-url-host.tainted-url-host"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "ReverseProxy can remove headers added by Director. Consider using ReverseProxy.Rewrite instead of ReverseProxy.Director."
},
"help": {
"markdown": "ReverseProxy can remove headers added by Director. Consider using ReverseProxy.Rewrite instead of ReverseProxy.Director.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.reverseproxy-director.reverseproxy-director)\n - [https://github.com/golang/go/issues/50580](https://github.com/golang/go/issues/50580)\n",
"text": "ReverseProxy can remove headers added by Director. Consider using ReverseProxy.Rewrite instead of ReverseProxy.Director.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.reverseproxy-director.reverseproxy-director",
"id": "go.lang.security.reverseproxy-director.reverseproxy-director",
"name": "go.lang.security.reverseproxy-director.reverseproxy-director",
"properties": {
"precision": "very-high",
"tags": [
"CWE-115: Misinterpretation of Input",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.reverseproxy-director.reverseproxy-director"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "File traversal when extracting zip archive"
},
"help": {
"markdown": "File traversal when extracting zip archive\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.zip.path-traversal-inside-zip-extraction)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "File traversal when extracting zip archive\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.zip.path-traversal-inside-zip-extraction",
"id": "go.lang.security.zip.path-traversal-inside-zip-extraction",
"name": "go.lang.security.zip.path-traversal-inside-zip-extraction",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.zip.path-traversal-inside-zip-extraction"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected non-static script inside otto VM. Audit the input to \u0027VM.Run\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
},
"help": {
"markdown": "Detected non-static script inside otto VM. Audit the input to \u0027VM.Run\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.otto.security.audit.dangerous-execution.dangerous-execution)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected non-static script inside otto VM. Audit the input to \u0027VM.Run\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.otto.security.audit.dangerous-execution.dangerous-execution",
"id": "go.otto.security.audit.dangerous-execution.dangerous-execution",
"name": "go.otto.security.audit.dangerous-execution.dangerous-execution",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.otto.security.audit.dangerous-execution.dangerous-execution"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This tag is missing an \u0027integrity\u0027 subresource integrity attribute. The \u0027integrity\u0027 attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you\u2019re telling the browser to fetch in the \u0027integrity\u0027 attribute for all externally hosted files."
},
"help": {
"markdown": "This tag is missing an \u0027integrity\u0027 subresource integrity attribute. The \u0027integrity\u0027 attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you\u2019re telling the browser to fetch in the \u0027integrity\u0027 attribute for all externally hosted files.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
"text": "This tag is missing an \u0027integrity\u0027 subresource integrity attribute. The \u0027integrity\u0027 attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you\u2019re telling the browser to fetch in the \u0027integrity\u0027 attribute for all externally hosted files.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity",
"id": "html.security.audit.missing-integrity.missing-integrity",
"name": "html.security.audit.missing-integrity.missing-integrity",
"properties": {
"precision": "very-high",
"tags": [
"CWE-353: Missing Support for Integrity Check",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: html.security.audit.missing-integrity.missing-integrity"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
},
"help": {
"markdown": "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/html.security.plaintext-http-link.plaintext-http-link)\n - [https://cwe.mitre.org/data/definitions/319.html](https://cwe.mitre.org/data/definitions/319.html)\n",
"text": "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/html.security.plaintext-http-link.plaintext-http-link",
"id": "html.security.plaintext-http-link.plaintext-http-link",
"name": "html.security.plaintext-http-link.plaintext-http-link",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: html.security.plaintext-http-link.plaintext-http-link"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application\u0027s control plane."
},
"help": {
"markdown": "The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application\u0027s control plane.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.android.security.exported_activity.exported_activity)\n - [https://cwe.mitre.org/data/definitions/926.html](https://cwe.mitre.org/data/definitions/926.html)\n",
"text": "The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application\u0027s control plane.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.android.security.exported_activity.exported_activity",
"id": "java.android.security.exported_activity.exported_activity",
"name": "java.android.security.exported_activity.exported_activity",
"properties": {
"precision": "very-high",
"tags": [
"CWE-926: Improper Export of Android Application Components",
"MEDIUM CONFIDENCE",
"OWASP-A5:2021 Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.android.security.exported_activity.exported_activity"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."
},
"help": {
"markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n",
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"id": "java.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"name": "java.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.aws-lambda.security.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead."
},
"help": {
"markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sqli.tainted-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.aws-lambda.security.tainted-sqli.tainted-sqli",
"id": "java.aws-lambda.security.tainted-sqli.tainted-sqli",
"name": "java.aws-lambda.security.tainted-sqli.tainted-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.aws-lambda.security.tainted-sqli.tainted-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token."
},
"help": {
"markdown": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
"text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify",
"id": "java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify",
"name": "java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify",
"properties": {
"precision": "very-high",
"tags": [
"CWE-345: Insufficient Verification of Data Authenticity",
"MEDIUM CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret",
"id": "java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret",
"name": "java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027."
},
"help": {
"markdown": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg",
"id": "java.java-jwt.security.jwt-none-alg.java-jwt-none-alg",
"name": "java.java-jwt.security.jwt-none-alg.java-jwt-none-alg",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.java-jwt.security.jwt-none-alg.java-jwt-none-alg"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."
},
"help": {
"markdown": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal)\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\n",
"text": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal",
"id": "java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal",
"name": "java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."
},
"help": {
"markdown": "Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.jboss.security.seam-log-injection.seam-log-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.jboss.security.seam-log-injection.seam-log-injection",
"id": "java.jboss.security.seam-log-injection.seam-log-injection",
"name": "java.jboss.security.seam-log-injection.seam-log-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.jboss.security.seam-log-injection.seam-log-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "In $METHOD, $X is used to construct a SQL query via string concatenation."
},
"help": {
"markdown": "In $METHOD, $X is used to construct a SQL query via string concatenation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "In $METHOD, $X is used to construct a SQL query via string concatenation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation",
"id": "java.jboss.security.session_sqli.find-sql-string-concatenation",
"name": "java.jboss.security.session_sqli.find-sql-string-concatenation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.jboss.security.session_sqli.find-sql-string-concatenation"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027."
},
"help": {
"markdown": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg",
"id": "java.jjwt.security.jwt-none-alg.jjwt-none-alg",
"name": "java.jjwt.security.jwt-none-alg.jjwt-none-alg",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.jjwt.security.jwt-none-alg.jjwt-none-alg"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information."
},
"help": {
"markdown": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind",
"id": "java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind",
"name": "java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\"%02X\", ...)\u0027 instead."
},
"help": {
"markdown": "\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\"%02X\", ...)\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion)\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\n",
"text": "\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\"%02X\", ...)\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion",
"id": "java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion",
"name": "java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion",
"properties": {
"precision": "very-high",
"tags": [
"CWE-704: Incorrect Type Conversion or Cast",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead."
},
"help": {
"markdown": "Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size",
"id": "java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size",
"name": "java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use \u0027AES/GCM/NoPadding\u0027 instead."
},
"help": {
"markdown": "Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use \u0027AES/GCM/NoPadding\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle)\n - [https://capec.mitre.org/data/definitions/463.html](https://capec.mitre.org/data/definitions/463.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes)\n - [https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY](https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY)\n",
"text": "Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use \u0027AES/GCM/NoPadding\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle",
"id": "java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle",
"name": "java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."
},
"help": {
"markdown": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call",
"id": "java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call",
"name": "java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."
},
"help": {
"markdown": "A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.command-injection-process-builder.command-injection-process-builder)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.command-injection-process-builder.command-injection-process-builder",
"id": "java.lang.security.audit.command-injection-process-builder.command-injection-process-builder",
"name": "java.lang.security.audit.command-injection-process-builder.command-injection-process-builder",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.command-injection-process-builder.command-injection-process-builder"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027"
},
"help": {
"markdown": "A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
"text": "A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly",
"id": "java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly",
"name": "java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027"
},
"help": {
"markdown": "A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
"text": "A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag",
"id": "java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag",
"name": "java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content."
},
"help": {
"markdown": "When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs",
"id": "java.lang.security.audit.crlf-injection-logs.crlf-injection-logs",
"name": "java.lang.security.audit.crlf-injection-logs.crlf-injection-logs",
"properties": {
"precision": "very-high",
"tags": [
"CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crlf-injection-logs.crlf-injection-logs"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information."
},
"help": {
"markdown": "DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated)\n - [https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard](https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n",
"text": "DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated",
"id": "java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated",
"name": "java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES."
},
"help": {
"markdown": "Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated)\n - [https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA](https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA)\n",
"text": "Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated",
"id": "java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated",
"name": "java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY."
},
"help": {
"markdown": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher",
"id": "java.lang.security.audit.crypto.ecb-cipher.ecb-cipher",
"name": "java.lang.security.audit.crypto.ecb-cipher.ecb-cipher",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.ecb-cipher.ecb-cipher"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "GCM IV/nonce is reused: encryption can be totally useless"
},
"help": {
"markdown": "GCM IV/nonce is reused: encryption can be totally useless\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "GCM IV/nonce is reused: encryption can be totally useless\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse",
"id": "java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse",
"name": "java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse",
"properties": {
"precision": "very-high",
"tags": [
"CWE-323: Reusing a Nonce, Key Pair in Encryption",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
},
"help": {
"markdown": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher",
"id": "java.lang.security.audit.crypto.no-null-cipher.no-null-cipher",
"name": "java.lang.security.audit.crypto.no-null-cipher.no-null-cipher",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.no-null-cipher.no-null-cipher"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption."
},
"help": {
"markdown": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector)\n - [https://cwe.mitre.org/data/definitions/329.html](https://cwe.mitre.org/data/definitions/329.html)\n",
"text": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector",
"id": "java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector",
"name": "java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector",
"properties": {
"precision": "very-high",
"tags": [
"CWE-329: Generation of Predictable IV with CBC Mode",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using RSA without OAEP mode weakens the encryption."
},
"help": {
"markdown": "Using RSA without OAEP mode weakens the encryption.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding)\n - [https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/](https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/)\n",
"text": "Using RSA without OAEP mode weakens the encryption.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding",
"id": "java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding",
"name": "java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");"
},
"help": {
"markdown": "Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms)\n",
"text": "Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests",
"id": "java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests",
"name": "java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead."
},
"help": {
"markdown": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated",
"id": "java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated",
"name": "java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks."
},
"help": {
"markdown": "Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier",
"id": "java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier",
"name": "java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information."
},
"help": {
"markdown": "Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager)\n - [https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https](https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https)\n",
"text": "Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager",
"id": "java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager",
"name": "java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead."
},
"help": {
"markdown": "Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket",
"id": "java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket",
"name": "java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use of AES with ECB mode detected. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
},
"help": {
"markdown": "Use of AES with ECB mode detected. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n",
"text": "Use of AES with ECB mode detected. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb",
"id": "java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb",
"name": "java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
},
"help": {
"markdown": "Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n",
"text": "Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish",
"id": "java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish",
"name": "java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
},
"help": {
"markdown": "Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n",
"text": "Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes",
"id": "java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes",
"name": "java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."
},
"help": {
"markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils",
"id": "java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils",
"name": "java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."
},
"help": {
"markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5",
"id": "java.lang.security.audit.crypto.use-of-md5.use-of-md5",
"name": "java.lang.security.audit.crypto.use-of-md5.use-of-md5",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-md5.use-of-md5"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
},
"help": {
"markdown": "Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n",
"text": "Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2",
"id": "java.lang.security.audit.crypto.use-of-rc2.use-of-rc2",
"name": "java.lang.security.audit.crypto.use-of-rc2.use-of-rc2",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-rc2.use-of-rc2"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
},
"help": {
"markdown": "Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n",
"text": "Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4",
"id": "java.lang.security.audit.crypto.use-of-rc4.use-of-rc4",
"name": "java.lang.security.audit.crypto.use-of-rc4.use-of-rc4",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-rc4.use-of-rc4"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."
},
"help": {
"markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1",
"id": "java.lang.security.audit.crypto.use-of-sha1.use-of-sha1",
"name": "java.lang.security.audit.crypto.use-of-sha1.use-of-sha1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-sha1.use-of-sha1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security."
},
"help": {
"markdown": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\n",
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224",
"id": "java.lang.security.audit.crypto.use-of-sha224.use-of-sha224",
"name": "java.lang.security.audit.crypto.use-of-sha224.use-of-sha224",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-sha224.use-of-sha224"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead."
},
"help": {
"markdown": "Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random",
"id": "java.lang.security.audit.crypto.weak-random.weak-random",
"name": "java.lang.security.audit.crypto.weak-random.weak-random",
"properties": {
"precision": "very-high",
"tags": [
"CWE-330: Use of Insufficiently Random Values",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.weak-random.weak-random"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "RSA keys should be at least 2048 bits based on NIST recommendation."
},
"help": {
"markdown": "RSA keys should be at least 2048 bits based on NIST recommendation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n",
"text": "RSA keys should be at least 2048 bits based on NIST recommendation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key",
"id": "java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key",
"name": "java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."
},
"help": {
"markdown": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell",
"id": "java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell",
"name": "java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."
},
"help": {
"markdown": "An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection",
"id": "java.lang.security.audit.el-injection.el-injection",
"name": "java.lang.security.audit.el-injection.el-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.el-injection.el-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string.formatted-sql-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps)\n - [https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement](https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string.formatted-sql-string",
"id": "java.lang.security.audit.formatted-sql-string.formatted-sql-string",
"name": "java.lang.security.audit.formatted-sql-string.formatted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.formatted-sql-string.formatted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself."
},
"help": {
"markdown": "Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting)\n - [https://www.owasp.org/index.php/HTTP_Response_Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting)\n",
"text": "Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting",
"id": "java.lang.security.audit.http-response-splitting.http-response-splitting",
"name": "java.lang.security.audit.http-response-splitting.http-response-splitting",
"properties": {
"precision": "very-high",
"tags": [
"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.http-response-splitting.http-response-splitting"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting \u0027email.setSSLCheckServerIdentity(true)\u0027."
},
"help": {
"markdown": "Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting \u0027email.setSSLCheckServerIdentity(true)\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting \u0027email.setSSLCheckServerIdentity(true)\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection",
"id": "java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection",
"name": "java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-297: Improper Validation of Certificate with Host Mismatch",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Semgrep found potential reverse shell behavior"
},
"help": {
"markdown": "Semgrep found potential reverse shell behavior\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.java-reverse-shell.java-reverse-shell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Semgrep found potential reverse shell behavior\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.java-reverse-shell.java-reverse-shell",
"id": "java.lang.security.audit.java-reverse-shell.java-reverse-shell",
"name": "java.lang.security.audit.java-reverse-shell.java-reverse-shell",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.java-reverse-shell.java-reverse-shell"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: \u0027jdbc.queryForObject(\"select * from table where name = ?\", Integer.class, parameterName);\u0027"
},
"help": {
"markdown": "Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: \u0027jdbc.queryForObject(\"select * from table where name = ?\", Integer.class, parameterName);\u0027\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: \u0027jdbc.queryForObject(\"select * from table where name = ?\", Integer.class, parameterName);\u0027\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string",
"id": "java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string",
"name": "java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution."
},
"help": {
"markdown": "An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning)\n - [https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html)\n",
"text": "An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning",
"id": "java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning",
"name": "java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning",
"properties": {
"precision": "very-high",
"tags": [
"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data."
},
"help": {
"markdown": "Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.ldap-injection.ldap-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.ldap-injection.ldap-injection",
"id": "java.lang.security.audit.ldap-injection.ldap-injection",
"name": "java.lang.security.audit.ldap-injection.ldap-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.ldap-injection.ldap-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`."
},
"help": {
"markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory](https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory)\n - [https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html)\n",
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.md5-used-as-password.md5-used-as-password",
"id": "java.lang.security.audit.md5-used-as-password.md5-used-as-password",
"name": "java.lang.security.audit.md5-used-as-password.md5-used-as-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.md5-used-as-password.md5-used-as-password"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object."
},
"help": {
"markdown": "Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.object-deserialization.object-deserialization)\n - [https://www.owasp.org/index.php/Deserialization_of_untrusted_data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data)\n - [https://www.oracle.com/java/technologies/javase/seccodeguide.html#8](https://www.oracle.com/java/technologies/javase/seccodeguide.html#8)\n",
"text": "Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.object-deserialization.object-deserialization",
"id": "java.lang.security.audit.object-deserialization.object-deserialization",
"name": "java.lang.security.audit.object-deserialization.object-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.object-deserialization.object-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."
},
"help": {
"markdown": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.ognl-injection.ognl-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.ognl-injection.ognl-injection",
"id": "java.lang.security.audit.ognl-injection.ognl-injection",
"name": "java.lang.security.audit.ognl-injection.ognl-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.ognl-injection.ognl-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need."
},
"help": {
"markdown": "Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission",
"id": "java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission",
"name": "java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission",
"properties": {
"precision": "very-high",
"tags": [
"CWE-276: Incorrect Default Permissions",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks."
},
"help": {
"markdown": "https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.permissive-cors.permissive-cors)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.permissive-cors.permissive-cors",
"id": "java.lang.security.audit.permissive-cors.permissive-cors",
"name": "java.lang.security.audit.permissive-cors.permissive-cors",
"properties": {
"precision": "very-high",
"tags": [
"CWE-183: Permissive List of Allowed Inputs",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.permissive-cors.permissive-cors"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter \u0027.eval()\u0027, otherwise, this is a code injection vulnerability."
},
"help": {
"markdown": "Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter \u0027.eval()\u0027, otherwise, this is a code injection vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.script-engine-injection.script-engine-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter \u0027.eval()\u0027, otherwise, this is a code injection vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.script-engine-injection.script-engine-injection",
"id": "java.lang.security.audit.script-engine-injection.script-engine-injection",
"name": "java.lang.security.audit.script-engine-injection.script-engine-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.script-engine-injection.script-engine-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli",
"id": "java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli",
"name": "java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli",
"id": "java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli",
"name": "java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jdo-sqli.jdo-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.jdo-sqli.jdo-sqli",
"id": "java.lang.security.audit.sqli.jdo-sqli.jdo-sqli",
"name": "java.lang.security.audit.sqli.jdo-sqli.jdo-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.sqli.jdo-sqli.jdo-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli",
"id": "java.lang.security.audit.sqli.jpa-sqli.jpa-sqli",
"name": "java.lang.security.audit.sqli.jpa-sqli.jpa-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.sqli.jpa-sqli.jpa-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead."
},
"help": {
"markdown": "Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n",
"text": "Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request",
"id": "java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request",
"name": "java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.turbine-sqli.turbine-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.turbine-sqli.turbine-sqli",
"id": "java.lang.security.audit.sqli.turbine-sqli.turbine-sqli",
"name": "java.lang.security.audit.sqli.turbine-sqli.turbine-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.sqli.turbine-sqli.turbine-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.vertx-sqli.vertx-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.vertx-sqli.vertx-sqli",
"id": "java.lang.security.audit.sqli.vertx-sqli.vertx-sqli",
"name": "java.lang.security.audit.sqli.vertx-sqli.vertx-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.sqli.vertx-sqli.vertx-sqli"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected input from a HTTPServletRequest going into a \u0027ProcessBuilder\u0027 or \u0027exec\u0027 command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values."
},
"help": {
"markdown": "Detected input from a HTTPServletRequest going into a \u0027ProcessBuilder\u0027 or \u0027exec\u0027 command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected input from a HTTPServletRequest going into a \u0027ProcessBuilder\u0027 or \u0027exec\u0027 command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request",
"id": "java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request",
"name": "java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected input from a HTTPServletRequest going into the environment variables of an \u0027exec\u0027 command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`."
},
"help": {
"markdown": "Detected input from a HTTPServletRequest going into the environment variables of an \u0027exec\u0027 command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected input from a HTTPServletRequest going into the environment variables of an \u0027exec\u0027 command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request",
"id": "java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request",
"name": "java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-454: External Initialization of Trusted Variables or Data Stores",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data."
},
"help": {
"markdown": "Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request)\n - [https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection](https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection)\n",
"text": "Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request",
"id": "java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request",
"name": "java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what\u0027s trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls."
},
"help": {
"markdown": "Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what\u0027s trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what\u0027s trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request",
"id": "java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request",
"name": "java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-501: Trust Boundary Violation",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can."
},
"help": {
"markdown": "Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request",
"id": "java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request",
"name": "java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-643: Improper Neutralization of Data within XPath Expressions (\u0027XPath Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner."
},
"help": {
"markdown": "If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection",
"id": "java.lang.security.audit.unsafe-reflection.unsafe-reflection",
"name": "java.lang.security.audit.unsafe-reflection.unsafe-reflection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.unsafe-reflection.unsafe-reflection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs."
},
"help": {
"markdown": "Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect",
"id": "java.lang.security.audit.unvalidated-redirect.unvalidated-redirect",
"name": "java.lang.security.audit.unvalidated-redirect.unvalidated-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.unvalidated-redirect.unvalidated-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties."
},
"help": {
"markdown": "URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.url-rewriting.url-rewriting)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.url-rewriting.url-rewriting",
"id": "java.lang.security.audit.url-rewriting.url-rewriting",
"name": "java.lang.security.audit.url-rewriting.url-rewriting",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.url-rewriting.url-rewriting"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security."
},
"help": {
"markdown": "An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context)\n - [https://tools.ietf.org/html/rfc7568](https://tools.ietf.org/html/rfc7568)\n - [https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html](https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html)\n",
"text": "An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context",
"id": "java.lang.security.audit.weak-ssl-context.weak-ssl-context",
"name": "java.lang.security.audit.weak-ssl-context.weak-ssl-context",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.weak-ssl-context.weak-ssl-context"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention."
},
"help": {
"markdown": "XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n",
"text": "XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder",
"id": "java.lang.security.audit.xml-decoder.xml-decoder",
"name": "java.lang.security.audit.xml-decoder.xml-decoder",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"LOW CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xml-decoder.xml-decoder"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove \u0027escape=false\u0027 from this element."
},
"help": {
"markdown": "Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove \u0027escape=false\u0027 from this element.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled)\n - [https://stackoverflow.com/a/7442668](https://stackoverflow.com/a/7442668)\n",
"text": "Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove \u0027escape=false\u0027 from this element.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled",
"id": "java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled",
"name": "java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences",
"LOW CONFIDENCE",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views."
},
"help": {
"markdown": "Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer)\n - [https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html](https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html)\n",
"text": "Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer",
"id": "java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer",
"name": "java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "It looks like you\u0027re using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself."
},
"help": {
"markdown": "It looks like you\u0027re using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "It looks like you\u0027re using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure",
"id": "java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure",
"name": "java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."
},
"help": {
"markdown": "DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n",
"text": "DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false",
"id": "java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false",
"name": "java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."
},
"help": {
"markdown": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n",
"text": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing",
"id": "java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing",
"name": "java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false."
},
"help": {
"markdown": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n",
"text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true",
"id": "java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true",
"name": "java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false."
},
"help": {
"markdown": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n",
"text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true",
"id": "java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true",
"name": "java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory."
},
"help": {
"markdown": "DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n",
"text": "DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing",
"id": "java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing",
"name": "java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"."
},
"help": {
"markdown": "DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n",
"text": "DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled",
"id": "java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled",
"name": "java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible."
},
"help": {
"markdown": "Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use)\n - [https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html](https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html)\n - [https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation](https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation)\n - [http://phrack.org/papers/escaping_the_java_sandbox.html](http://phrack.org/papers/escaping_the_java_sandbox.html)\n",
"text": "Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use",
"id": "java.lang.security.do-privileged-use.do-privileged-use",
"name": "java.lang.security.do-privileged-use.do-privileged-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.do-privileged-use.do-privileged-use"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."
},
"help": {
"markdown": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal)\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\n",
"text": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal",
"id": "java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal",
"name": "java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method."
},
"help": {
"markdown": "JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization)\n - [https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf)\n",
"text": "JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization",
"id": "java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization",
"name": "java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization."
},
"help": {
"markdown": "When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization)\n - [https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038](https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038)\n - [https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/](https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/)\n",
"text": "When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization",
"id": "java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization",
"name": "java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A8:2017 Insecure Deserialization",
"OWASP-A8:2021 Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Cross-site scripting detected in HttpServletResponse writer with variable \u0027$VAR\u0027. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: \u0027Encode.forHtml($VAR)\u0027."
},
"help": {
"markdown": "Cross-site scripting detected in HttpServletResponse writer with variable \u0027$VAR\u0027. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: \u0027Encode.forHtml($VAR)\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Cross-site scripting detected in HttpServletResponse writer with variable \u0027$VAR\u0027. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: \u0027Encode.forHtml($VAR)\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss",
"id": "java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss",
"name": "java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument."
},
"help": {
"markdown": "Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor)\n - [https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability](https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability)\n",
"text": "Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor",
"id": "java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor",
"name": "java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."
},
"help": {
"markdown": "XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\n",
"text": "XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled",
"id": "java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled",
"name": "java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"LOW CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."
},
"help": {
"markdown": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser)\n",
"text": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe",
"id": "java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe",
"name": "java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"MEDIUM CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON."
},
"help": {
"markdown": "Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization)\n - [https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/](https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/)\n",
"text": "Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization",
"id": "java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization",
"name": "java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Using an arbitrary object (\u0027$PARAMTYPE $PARAM\u0027) with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON."
},
"help": {
"markdown": "Using an arbitrary object (\u0027$PARAMTYPE $PARAM\u0027) with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization)\n - [https://frohoff.github.io/appseccali-marshalling-pickles/](https://frohoff.github.io/appseccali-marshalling-pickles/)\n - [https://book.hacktricks.xyz/network-services-pentesting/1099-pentesting-java-rmi](https://book.hacktricks.xyz/network-services-pentesting/1099-pentesting-java-rmi)\n - [https://youtu.be/t_aw1mDNhzI](https://youtu.be/t_aw1mDNhzI)\n - [https://github.com/qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)\n - [https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L303C4-L331](https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L303C4-L331)\n",
"text": "Using an arbitrary object (\u0027$PARAMTYPE $PARAM\u0027) with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization",
"id": "java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization",
"name": "java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks."
},
"help": {
"markdown": "Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.cookie-issecure-false.cookie-issecure-false)\n - [https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)](https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean))\n - [https://owasp.org/www-community/controls/SecureCookieAttribute](https://owasp.org/www-community/controls/SecureCookieAttribute)\n",
"text": "Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.servlets.security.cookie-issecure-false.cookie-issecure-false",
"id": "java.servlets.security.cookie-issecure-false.cookie-issecure-false",
"name": "java.servlets.security.cookie-issecure-false.cookie-issecure-false",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.servlets.security.cookie-issecure-false.cookie-issecure-false"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."
},
"help": {
"markdown": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spel-injection.spel-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.audit.spel-injection.spel-injection",
"id": "java.spring.security.audit.spel-injection.spel-injection",
"name": "java.spring.security.audit.spel-injection.spel-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.audit.spel-injection.spel-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk."
},
"help": {
"markdown": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled)\n - [https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints)\n - [https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785](https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785)\n - [https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators](https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators)\n",
"text": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled",
"id": "java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled",
"name": "java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "CSRF protection is disabled for this configuration. This is a security risk."
},
"help": {
"markdown": "CSRF protection is disabled for this configuration. This is a security risk.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "CSRF protection is disabled for this configuration. This is a security risk.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled",
"id": "java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled",
"name": "java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."
},
"help": {
"markdown": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-jsp-eval.spring-jsp-eval)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-jsp-eval.spring-jsp-eval",
"id": "java.spring.security.audit.spring-jsp-eval.spring-jsp-eval",
"name": "java.spring.security.audit.spring-jsp-eval.spring-jsp-eval",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.audit.spring-jsp-eval.spring-jsp-eval"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027."
},
"help": {
"markdown": "Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-sqli.spring-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-sqli.spring-sqli",
"id": "java.spring.security.audit.spring-sqli.spring-sqli",
"name": "java.spring.security.audit.spring-sqli.spring-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.audit.spring-sqli.spring-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Application redirects a user to a destination URL specified by a user supplied parameter that is not validated."
},
"help": {
"markdown": "Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect",
"id": "java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect",
"name": "java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."
},
"help": {
"markdown": "Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n",
"text": "Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path",
"id": "java.spring.security.injection.tainted-file-path.tainted-file-path",
"name": "java.spring.security.injection.tainted-file-path.tainted-file-path",
"properties": {
"precision": "very-high",
"tags": [
"CWE-23: Relative Path Traversal",
"HIGH CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.injection.tainted-file-path.tainted-file-path"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data."
},
"help": {
"markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n",
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string",
"id": "java.spring.security.injection.tainted-html-string.tainted-html-string",
"name": "java.spring.security.injection.tainted-html-string.tainted-html-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.injection.tainted-html-string.tainted-html-string"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library."
},
"help": {
"markdown": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html](https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html)\n",
"text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string",
"id": "java.spring.security.injection.tainted-sql-string.tainted-sql-string",
"name": "java.spring.security.injection.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.injection.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can\u0027t run arbitrary commands."
},
"help": {
"markdown": "Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can\u0027t run arbitrary commands.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command)\n - [https://www.stackhawk.com/blog/command-injection-java/](https://www.stackhawk.com/blog/command-injection-java/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\n - [https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java](https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java)\n",
"text": "Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can\u0027t run arbitrary commands.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command",
"id": "java.spring.security.injection.tainted-system-command.tainted-system-command",
"name": "java.spring.security.injection.tainted-system-command.tainted-system-command",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.injection.tainted-system-command.tainted-system-command"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters."
},
"help": {
"markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host",
"id": "java.spring.security.injection.tainted-url-host.tainted-url-host",
"name": "java.spring.security.injection.tainted-url-host.tainted-url-host",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.injection.tainted-url-host.tainted-url-host"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a method annotated with \u0027RequestMapping\u0027 that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the \u0027method\u0027 field and specify the HTTP method (such as \u0027RequestMethod.POST\u0027)."
},
"help": {
"markdown": "Detected a method annotated with \u0027RequestMapping\u0027 that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the \u0027method\u0027 field and specify the HTTP method (such as \u0027RequestMethod.POST\u0027).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping)\n - [https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING](https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING)\n",
"text": "Detected a method annotated with \u0027RequestMapping\u0027 that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the \u0027method\u0027 field and specify the HTTP method (such as \u0027RequestMethod.POST\u0027).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping",
"id": "java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping",
"name": "java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "By setting `allErrors: true` in `Ajv` library, all error objects will be allocated without limit. This allows the attacker to produce a huge number of errors which can lead to denial of service. Do not use `allErrors: true` in production."
},
"help": {
"markdown": "By setting `allErrors: true` in `Ajv` library, all error objects will be allocated without limit. This allows the attacker to produce a huge number of errors which can lead to denial of service. Do not use `allErrors: true` in production.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true)\n - [https://ajv.js.org/options.html#allerrors](https://ajv.js.org/options.html#allerrors)\n",
"text": "By setting `allErrors: true` in `Ajv` library, all error objects will be allocated without limit. This allows the attacker to produce a huge number of errors which can lead to denial of service. Do not use `allErrors: true` in production.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true",
"id": "javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true",
"name": "javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true",
"properties": {
"precision": "very-high",
"tags": [
"CWE-400: Uncontrolled Resource Consumption",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize."
},
"help": {
"markdown": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods)\n - [https://docs.angularjs.org/api/ng/function/angular.element](https://docs.angularjs.org/api/ng/function/angular.element)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods",
"id": "javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods",
"name": "javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize."
},
"help": {
"markdown": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint)\n - [https://docs.angularjs.org/api/ng/function/angular.element](https://docs.angularjs.org/api/ng/function/angular.element)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint",
"id": "javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint",
"name": "javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Use of $window.location.href can lead to open-redirect if user input is used for redirection."
},
"help": {
"markdown": "Use of $window.location.href can lead to open-redirect if user input is used for redirection.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "Use of $window.location.href can lead to open-redirect if user input is used for redirection.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect",
"id": "javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect",
"name": "javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "$sceDelegateProvider allowlisting can introduce security issues if wildcards are used."
},
"help": {
"markdown": "$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading",
"id": "javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading",
"name": "javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities."
},
"help": {
"markdown": "$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled)\n - [https://docs.angularjs.org/api/ng/service/$sce](https://docs.angularjs.org/api/ng/service/$sce)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled",
"id": "javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled",
"name": "javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"HIGH CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API."
},
"help": {
"markdown": "The use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsCss](https://docs.angularjs.org/api/ng/service/$sce#trustAsCss)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "The use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method",
"id": "javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method",
"name": "javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API."
},
"help": {
"markdown": "The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsHtml](https://docs.angularjs.org/api/ng/service/$sce#trustAsHtml)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method",
"id": "javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method",
"name": "javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API."
},
"help": {
"markdown": "The use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "The use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method",
"id": "javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method",
"name": "javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API."
},
"help": {
"markdown": "The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method)\n - [https://docs.angularjs.org/api/ng/service/$sce](https://docs.angularjs.org/api/ng/service/$sce)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method",
"id": "javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method",
"name": "javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API."
},
"help": {
"markdown": "The use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsResourceUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsResourceUrl)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "The use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method",
"id": "javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method",
"name": "javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API."
},
"help": {
"markdown": "The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method",
"id": "javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method",
"name": "javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The use of $translateProvider.translations method can be dangerous if user input is provided to this API."
},
"help": {
"markdown": "The use of $translateProvider.translations method can be dangerous if user input is provided to this API.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "The use of $translateProvider.translations method can be dangerous if user input is provided to this API.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method",
"id": "javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method",
"name": "javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary."
},
"help": {
"markdown": "User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf)\n - [https://www.cvedetails.com/cve/CVE-2020-28168/](https://www.cvedetails.com/cve/CVE-2020-28168/)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n",
"text": "User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf",
"id": "javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf",
"name": "javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment."
},
"help": {
"markdown": "Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n - [https://eprint.iacr.org/2016/759.pdf](https://eprint.iacr.org/2016/759.pdf)\n - [https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf](https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf)\n - [https://datatracker.ietf.org/doc/html/rfc9106#section-4](https://datatracker.ietf.org/doc/html/rfc9106#section-4)\n",
"text": "Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config",
"id": "javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config",
"name": "javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config",
"properties": {
"precision": "very-high",
"tags": [
"CWE-916: Use of Password Hash With Insufficient Computational Effort",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it\u0027s better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`."
},
"help": {
"markdown": "Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it\u0027s better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization)\n - [https://www.npmjs.com/package/dompurify](https://www.npmjs.com/package/dompurify)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n",
"text": "Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it\u0027s better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization",
"id": "javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization",
"name": "javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs."
},
"help": {
"markdown": "Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.detect-child-process.detect-child-process)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.detect-child-process.detect-child-process",
"id": "javascript.aws-lambda.security.detect-child-process.detect-child-process",
"name": "javascript.aws-lambda.security.detect-child-process.detect-child-process",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.detect-child-process.detect-child-process"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client."
},
"help": {
"markdown": "Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object",
"id": "javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object",
"name": "javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object",
"properties": {
"precision": "very-high",
"tags": [
"CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.knex-sqli.knex-sqli)\n - [https://knexjs.org/#Builder-fromRaw](https://knexjs.org/#Builder-fromRaw)\n - [https://knexjs.org/#Builder-whereRaw](https://knexjs.org/#Builder-whereRaw)\n",
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.knex-sqli.knex-sqli",
"id": "javascript.aws-lambda.security.knex-sqli.knex-sqli",
"name": "javascript.aws-lambda.security.knex-sqli.knex-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.knex-sqli.knex-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.mysql-sqli.mysql-sqli)\n - [https://www.npmjs.com/package/mysql2](https://www.npmjs.com/package/mysql2)\n",
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.mysql-sqli.mysql-sqli",
"id": "javascript.aws-lambda.security.mysql-sqli.mysql-sqli",
"name": "javascript.aws-lambda.security.mysql-sqli.mysql-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.mysql-sqli.mysql-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.pg-sqli.pg-sqli)\n - [https://node-postgres.com/features/queries](https://node-postgres.com/features/queries)\n",
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.pg-sqli.pg-sqli",
"id": "javascript.aws-lambda.security.pg-sqli.pg-sqli",
"name": "javascript.aws-lambda.security.pg-sqli.pg-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.pg-sqli.pg-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query(\u0027SELECT * FROM projects WHERE status = ?\u0027, { replacements: [\u0027active\u0027], type: QueryTypes.SELECT });`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query(\u0027SELECT * FROM projects WHERE status = ?\u0027, { replacements: [\u0027active\u0027], type: QueryTypes.SELECT });`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli)\n - [https://sequelize.org/master/manual/raw-queries.html](https://sequelize.org/master/manual/raw-queries.html)\n",
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query(\u0027SELECT * FROM projects WHERE status = ?\u0027, { replacements: [\u0027active\u0027], type: QueryTypes.SELECT });`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli",
"id": "javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli",
"name": "javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources."
},
"help": {
"markdown": "The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.tainted-eval.tainted-eval)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.tainted-eval.tainted-eval",
"id": "javascript.aws-lambda.security.tainted-eval.tainted-eval",
"name": "javascript.aws-lambda.security.tainted-eval.tainted-eval",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.tainted-eval.tainted-eval"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data."
},
"help": {
"markdown": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-response.tainted-html-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-response.tainted-html-response",
"id": "javascript.aws-lambda.security.tainted-html-response.tainted-html-response",
"name": "javascript.aws-lambda.security.tainted-html-response.tainted-html-response",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.tainted-html-response.tainted-html-response"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead."
},
"help": {
"markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-string.tainted-html-string)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-string.tainted-html-string",
"id": "javascript.aws-lambda.security.tainted-html-string.tainted-html-string",
"name": "javascript.aws-lambda.security.tainted-html-string.tainted-html-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.tainted-html-string.tainted-html-string"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions."
},
"help": {
"markdown": "The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection",
"id": "javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection",
"name": "javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Potential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval()"
},
"help": {
"markdown": "Potential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval()\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution)\n - [http://bluebirdjs.com/docs/getting-started.html](http://bluebirdjs.com/docs/getting-started.html)\n",
"text": "Potential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval()\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution",
"id": "javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution",
"name": "javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL."
},
"help": {
"markdown": "Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss)\n - [https://owasp.org/www-community/attacks/DOM_Based_XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS)\n",
"text": "Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss",
"id": "javascript.browser.security.dom-based-xss.dom-based-xss",
"name": "javascript.browser.security.dom-based-xss.dom-based-xss",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.browser.security.dom-based-xss.dom-based-xss"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."
},
"help": {
"markdown": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.eval-detected.eval-detected)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.browser.security.eval-detected.eval-detected",
"id": "javascript.browser.security.eval-detected.eval-detected",
"name": "javascript.browser.security.eval-detected.eval-detected",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.browser.security.eval-detected.eval-detected"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities"
},
"help": {
"markdown": "User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.insecure-document-method.insecure-document-method)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.browser.security.insecure-document-method.insecure-document-method",
"id": "javascript.browser.security.insecure-document-method.insecure-document-method",
"name": "javascript.browser.security.insecure-document-method.insecure-document-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.browser.security.insecure-document-method.insecure-document-method"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "No validation of origin is done by the addEventListener API. It may be possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site Scripting(XSS)."
},
"help": {
"markdown": "No validation of origin is done by the addEventListener API. It may be possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site Scripting(XSS).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
"text": "No validation of origin is done by the addEventListener API. It may be possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site Scripting(XSS).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation",
"id": "javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation",
"name": "javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-345: Insufficient Verification of Data Authenticity",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection."
},
"help": {
"markdown": "The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.open-redirect.js-open-redirect)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n",
"text": "The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.browser.security.open-redirect.js-open-redirect",
"id": "javascript.browser.security.open-redirect.js-open-redirect",
"name": "javascript.browser.security.open-redirect.js-open-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.browser.security.open-redirect.js-open-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User controlled data in a HTML string may result in XSS"
},
"help": {
"markdown": "User controlled data in a HTML string may result in XSS\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat)\n - [https://owasp.org/www-community/attacks/xss/](https://owasp.org/www-community/attacks/xss/)\n",
"text": "User controlled data in a HTML string may result in XSS\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat",
"id": "javascript.browser.security.raw-html-concat.raw-html-concat",
"name": "javascript.browser.security.raw-html-concat.raw-html-concat",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.browser.security.raw-html-concat.raw-html-concat"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The target origin of the window.postMessage() API is set to \"*\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message."
},
"help": {
"markdown": "The target origin of the window.postMessage() API is set to \"*\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
"text": "The target origin of the window.postMessage() API is set to \"*\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration",
"id": "javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration",
"name": "javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration",
"properties": {
"precision": "very-high",
"tags": [
"CWE-345: Insufficient Verification of Data Authenticity",
"MEDIUM CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection)\n - [https://github.com/cyrus-and/chrome-remote-interface](https://github.com/cyrus-and/chrome-remote-interface)\n",
"text": "If unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection",
"id": "javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection",
"name": "javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability."
},
"help": {
"markdown": "Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run)\n - [https://deno.land/manual/examples/subprocess#simple-example](https://deno.land/manual/examples/subprocess#simple-example)\n",
"text": "Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run",
"id": "javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run",
"name": "javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies."
},
"help": {
"markdown": "A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage)\n - [https://www.npmjs.com/package/csurf](https://www.npmjs.com/package/csurf)\n - [https://www.npmjs.com/package/csrf](https://www.npmjs.com/package/csrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage",
"id": "javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage",
"name": "javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource."
},
"help": {
"markdown": "Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing)\n - [https://www.npmjs.com/package/serve-index](https://www.npmjs.com/package/serve-index)\n - [https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/](https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/)\n",
"text": "Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing",
"id": "javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing",
"name": "javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing",
"properties": {
"precision": "very-high",
"tags": [
"CWE-548: Exposure of Information Through Directory Listing",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Don\u2019t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly."
},
"help": {
"markdown": "Don\u2019t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Don\u2019t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name",
"id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name",
"name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next."
},
"help": {
"markdown": "Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain",
"id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain",
"name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies."
},
"help": {
"markdown": "Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires",
"id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires",
"name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks."
},
"help": {
"markdown": "Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly",
"id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly",
"name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request."
},
"help": {
"markdown": "Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path",
"id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path",
"name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS."
},
"help": {
"markdown": "Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure",
"id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure",
"name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function."
},
"help": {
"markdown": "Detected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage)\n - [https://github.com/mmckegg/notevil](https://github.com/mmckegg/notevil)\n",
"text": "Detected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage",
"id": "javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage",
"name": "javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1104: Use of Unmaintained Third Party Components",
"LOW CONFIDENCE",
"OWASP-A06:2021 - Vulnerable and Outdated Components",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option."
},
"help": {
"markdown": "No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked",
"id": "javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked",
"name": "javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected."
},
"help": {
"markdown": "The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-libxml-noent.express-libxml-noent)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n",
"text": "The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-libxml-noent.express-libxml-noent",
"id": "javascript.express.security.audit.express-libxml-noent.express-libxml-noent",
"name": "javascript.express.security.audit.express-libxml-noent.express-libxml-noent",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-libxml-noent.express-libxml-noent"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected use of parseXml() function with the `noent` field set to `true`. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it."
},
"help": {
"markdown": "Detected use of parseXml() function with the `noent` field set to `true`. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n",
"text": "Detected use of parseXml() function with the `noent` field set to `true`. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent",
"id": "javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent",
"name": "javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"LOW CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website."
},
"help": {
"markdown": "The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-open-redirect.express-open-redirect)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n",
"text": "The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-open-redirect.express-open-redirect",
"id": "javascript.express.security.audit.express-open-redirect.express-open-redirect",
"name": "javascript.express.security.audit.express-open-redirect.express-open-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-open-redirect.express-open-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Possible writing outside of the destination, make sure that the target path is nested in the intended destination"
},
"help": {
"markdown": "Possible writing outside of the destination, make sure that the target path is nested in the intended destination\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n",
"text": "Possible writing outside of the destination, make sure that the target path is nested in the intended destination\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal",
"id": "javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal",
"name": "javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing."
},
"help": {
"markdown": "The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)\n",
"text": "The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile",
"id": "javascript.express.security.audit.express-res-sendfile.express-res-sendfile",
"name": "javascript.express.security.audit.express-res-sendfile.express-res-sendfile",
"properties": {
"precision": "very-high",
"tags": [
"CWE-73: External Control of File Name or Path",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-res-sendfile.express-res-sendfile"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret",
"id": "javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret",
"name": "javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. "
},
"help": {
"markdown": "The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf",
"id": "javascript.express.security.audit.express-ssrf.express-ssrf",
"name": "javascript.express.security.audit.express-ssrf.express-ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-ssrf.express-ssrf"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from()."
},
"help": {
"markdown": "The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)\n",
"text": "The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization",
"id": "javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization",
"name": "javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"HIGH CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"
},
"help": {
"markdown": "Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event)\n - [https://www.npmjs.com/package/xml2json](https://www.npmjs.com/package/xml2json)\n",
"text": "Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event",
"id": "javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event",
"name": "javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"MEDIUM CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it\u0027s prototype. Use literal values for object properties."
},
"help": {
"markdown": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it\u0027s prototype. Use literal values for object properties.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection)\n - [https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\n",
"text": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it\u0027s prototype. Use literal values for object properties.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection",
"id": "javascript.express.security.audit.remote-property-injection.remote-property-injection",
"name": "javascript.express.security.audit.remote-property-injection.remote-property-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.remote-property-injection.remote-property-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User controllable data `$REQ` enters `$RES.render(...)` this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be loaded in $RES.render or use an allow list for the existing application."
},
"help": {
"markdown": "User controllable data `$REQ` enters `$RES.render(...)` this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be loaded in $RES.render or use an allow list for the existing application.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.res-render-injection.res-render-injection)\n - [http://expressjs.com/en/4x/api.html#res.render](http://expressjs.com/en/4x/api.html#res.render)\n",
"text": "User controllable data `$REQ` enters `$RES.render(...)` this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be loaded in $RES.render or use an allow list for the existing application.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.res-render-injection.res-render-injection",
"id": "javascript.express.security.audit.res-render-injection.res-render-injection",
"name": "javascript.express.security.audit.res-render-injection.res-render-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-706: Use of Incorrectly-Resolved Name or Reference",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.res-render-injection.res-render-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use \u0027resp.render()\u0027 to render safely escaped HTML."
},
"help": {
"markdown": "Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use \u0027resp.render()\u0027 to render safely escaped HTML.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.direct-response-write.direct-response-write)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n",
"text": "Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use \u0027resp.render()\u0027 to render safely escaped HTML.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.direct-response-write.direct-response-write",
"id": "javascript.express.security.audit.xss.direct-response-write.direct-response-write",
"name": "javascript.express.security.audit.xss.direct-response-write.direct-response-write",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.direct-response-write.direct-response-write"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an explicit unescape in an EJS template, using \u0027\u003c%- ... %\u003e\u0027 If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use \u0027\u003c%= ... %\u003e\u0027 to escape this data. If you need escaping, ensure no external data can reach this location."
},
"help": {
"markdown": "Detected an explicit unescape in an EJS template, using \u0027\u003c%- ... %\u003e\u0027 If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use \u0027\u003c%= ... %\u003e\u0027 to escape this data. If you need escaping, ensure no external data can reach this location.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape)\n - [http://www.managerjs.com/blog/2015/05/will-ejs-escape-save-me-from-xss-sorta/](http://www.managerjs.com/blog/2015/05/will-ejs-escape-save-me-from-xss-sorta/)\n",
"text": "Detected an explicit unescape in an EJS template, using \u0027\u003c%- ... %\u003e\u0027 If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use \u0027\u003c%= ... %\u003e\u0027 to escape this data. If you need escaping, ensure no external data can reach this location.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape",
"id": "javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape",
"name": "javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a template variable used as the \u0027src\u0027 in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the \u0027src\u0027 attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result."
},
"help": {
"markdown": "Detected a template variable used as the \u0027src\u0027 in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the \u0027src\u0027 attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n - [https://github.com/ESAPI/owasp-esapi-js](https://github.com/ESAPI/owasp-esapi-js)\n",
"text": "Detected a template variable used as the \u0027src\u0027 in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the \u0027src\u0027 attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src",
"id": "javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src",
"name": "javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI."
},
"help": {
"markdown": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n - [https://github.com/ESAPI/owasp-esapi-js](https://github.com/ESAPI/owasp-esapi-js)\n",
"text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag",
"id": "javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag",
"name": "javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: \u0027{{{ ... }}}\u0027."
},
"help": {
"markdown": "The Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: \u0027{{{ ... }}}\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite)\n - [https://github.com/janl/mustache.js/#variables](https://github.com/janl/mustache.js/#variables)\n",
"text": "The Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: \u0027{{{ ... }}}\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite",
"id": "javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite",
"name": "javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an explicit unescape in a Mustache template, using triple braces \u0027{{{...}}}\u0027 or ampersand \u0027\u0026\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location."
},
"help": {
"markdown": "Detected an explicit unescape in a Mustache template, using triple braces \u0027{{{...}}}\u0027 or ampersand \u0027\u0026\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape)\n - [https://github.com/janl/mustache.js/#variables](https://github.com/janl/mustache.js/#variables)\n - [https://ractive.js.org/v0.x/0.7/mustaches#variables](https://ractive.js.org/v0.x/0.7/mustaches#variables)\n",
"text": "Detected an explicit unescape in a Mustache template, using triple braces \u0027{{{...}}}\u0027 or ampersand \u0027\u0026\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape",
"id": "javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape",
"name": "javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a unescaped variables using \u0027\u0026attributes\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location."
},
"help": {
"markdown": "Detected a unescaped variables using \u0027\u0026attributes\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes)\n - [https://pugjs.org/language/attributes.html#attributes](https://pugjs.org/language/attributes.html#attributes)\n",
"text": "Detected a unescaped variables using \u0027\u0026attributes\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes",
"id": "javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes",
"name": "javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an explicit unescape in a Pug template, using either \u0027!=\u0027 or \u0027!{...}\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location."
},
"help": {
"markdown": "Detected an explicit unescape in a Pug template, using either \u0027!=\u0027 or \u0027!{...}\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape)\n - [https://pugjs.org/language/code.html#unescaped-buffered-code](https://pugjs.org/language/code.html#unescaped-buffered-code)\n - [https://pugjs.org/language/attributes.html#unescaped-attributes](https://pugjs.org/language/attributes.html#unescaped-attributes)\n",
"text": "Detected an explicit unescape in a Pug template, using either \u0027!=\u0027 or \u0027!{...}\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape",
"id": "javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape",
"name": "javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: a(href=\u0027/\u0027+url). You may also consider setting the Content Security Policy (CSP) header."
},
"help": {
"markdown": "Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: a(href=\u0027/\u0027+url). You may also consider setting the Content Security Policy (CSP) header.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.pug.var-in-href.var-in-href)\n - [https://github.com/pugjs/pug/issues/2952](https://github.com/pugjs/pug/issues/2952)\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI)\n",
"text": "Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: a(href=\u0027/\u0027+url). You may also consider setting the Content Security Policy (CSP) header.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.pug.var-in-href.var-in-href",
"id": "javascript.express.security.audit.xss.pug.var-in-href.var-in-href",
"name": "javascript.express.security.audit.xss.pug.var-in-href.var-in-href",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.pug.var-in-href.var-in-href"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI."
},
"help": {
"markdown": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n - [https://github.com/ESAPI/owasp-esapi-js](https://github.com/ESAPI/owasp-esapi-js)\n",
"text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag",
"id": "javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag",
"name": "javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings."
},
"help": {
"markdown": "By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.cors-misconfiguration.cors-misconfiguration)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)\n",
"text": "By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.cors-misconfiguration.cors-misconfiguration",
"id": "javascript.express.security.cors-misconfiguration.cors-misconfiguration",
"name": "javascript.express.security.cors-misconfiguration.cors-misconfiguration",
"properties": {
"precision": "very-high",
"tags": [
"CWE-346: Origin Validation Error",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.cors-misconfiguration.cors-misconfiguration"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability."
},
"help": {
"markdown": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-data-exfiltration.express-data-exfiltration)\n - [https://en.wikipedia.org/wiki/Mass_assignment_vulnerability](https://en.wikipedia.org/wiki/Mass_assignment_vulnerability)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\n",
"text": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-data-exfiltration.express-data-exfiltration",
"id": "javascript.express.security.express-data-exfiltration.express-data-exfiltration",
"name": "javascript.express.security.express-data-exfiltration.express-data-exfiltration",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-data-exfiltration.express-data-exfiltration"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities."
},
"help": {
"markdown": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe)\n - [https://github.com/astro/node-expat](https://github.com/astro/node-expat)\n",
"text": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe",
"id": "javascript.express.security.express-expat-xxe.express-expat-xxe",
"name": "javascript.express.security.express-expat-xxe.express-expat-xxe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"MEDIUM CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-expat-xxe.express-expat-xxe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability."
},
"help": {
"markdown": "User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-insecure-template-usage.express-insecure-template-usage)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n",
"text": "User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-insecure-template-usage.express-insecure-template-usage",
"id": "javascript.express.security.express-insecure-template-usage.express-insecure-template-usage",
"name": "javascript.express.security.express-insecure-template-usage.express-insecure-template-usage",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-insecure-template-usage.express-insecure-template-usage"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret",
"id": "javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret",
"name": "javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-phantom-injection.express-phantom-injection)\n - [https://phantomjs.org/page-automation.html](https://phantomjs.org/page-automation.html)\n",
"text": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-phantom-injection.express-phantom-injection",
"id": "javascript.express.security.express-phantom-injection.express-phantom-injection",
"name": "javascript.express.security.express-phantom-injection.express-phantom-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-phantom-injection.express-phantom-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-puppeteer-injection.express-puppeteer-injection)\n - [https://pptr.dev/api/puppeteer.page](https://pptr.dev/api/puppeteer.page)\n",
"text": "If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-puppeteer-injection.express-puppeteer-injection",
"id": "javascript.express.security.express-puppeteer-injection.express-puppeteer-injection",
"name": "javascript.express.security.express-puppeteer-injection.express-puppeteer-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-puppeteer-injection.express-puppeteer-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Make sure that unverified user data can not reach `sandbox`."
},
"help": {
"markdown": "Make sure that unverified user data can not reach `sandbox`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-sandbox-injection.express-sandbox-code-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n",
"text": "Make sure that unverified user data can not reach `sandbox`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-sandbox-injection.express-sandbox-code-injection",
"id": "javascript.express.security.express-sandbox-injection.express-sandbox-code-injection",
"name": "javascript.express.security.express-sandbox-injection.express-sandbox-code-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-sandbox-injection.express-sandbox-code-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Make sure that unverified user data can not reach `$VM`."
},
"help": {
"markdown": "Make sure that unverified user data can not reach `$VM`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-vm-injection.express-vm-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n",
"text": "Make sure that unverified user data can not reach `$VM`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-vm-injection.express-vm-injection",
"id": "javascript.express.security.express-vm-injection.express-vm-injection",
"name": "javascript.express.security.express-vm-injection.express-vm-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-vm-injection.express-vm-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Make sure that unverified user data can not reach `vm2`."
},
"help": {
"markdown": "Make sure that unverified user data can not reach `vm2`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n",
"text": "Make sure that unverified user data can not reach `vm2`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection",
"id": "javascript.express.security.express-vm2-injection.express-vm2-injection",
"name": "javascript.express.security.express-vm2-injection.express-vm2-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-vm2-injection.express-vm2-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection)\n - [https://www.npmjs.com/package/wkhtmltopdf](https://www.npmjs.com/package/wkhtmltopdf)\n",
"text": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection",
"id": "javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection",
"name": "javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "If unverified user data can reach the `wkhtmltopdf` methods it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `wkhtmltopdf` methods it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection)\n - [https://www.npmjs.com/package/wkhtmltopdf](https://www.npmjs.com/package/wkhtmltopdf)\n",
"text": "If unverified user data can reach the `wkhtmltopdf` methods it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection",
"id": "javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection",
"name": "javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"
},
"help": {
"markdown": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe)\n - [https://www.npmjs.com/package/xml2json](https://www.npmjs.com/package/xml2json)\n",
"text": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe",
"id": "javascript.express.security.express-xml2json-xxe.express-xml2json-xxe",
"name": "javascript.express.security.express-xml2json-xxe.express-xml2json-xxe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"MEDIUM CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-xml2json-xxe.express-xml2json-xxe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within."
},
"help": {
"markdown": "User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.injection.raw-html-format.raw-html-format)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n",
"text": "User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.injection.raw-html-format.raw-html-format",
"id": "javascript.express.security.injection.raw-html-format.raw-html-format",
"name": "javascript.express.security.injection.raw-html-format.raw-html-format",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.injection.raw-html-format.raw-html-format"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server."
},
"help": {
"markdown": "If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.require-request.require-request)\n - [https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it](https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it)\n",
"text": "If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.require-request.require-request",
"id": "javascript.express.security.require-request.require-request",
"name": "javascript.express.security.require-request.require-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-706: Use of Incorrectly-Resolved Name or Reference",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.require-request.require-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`."
},
"help": {
"markdown": "By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)\n",
"text": "By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration",
"id": "javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration",
"name": "javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration",
"properties": {
"precision": "very-high",
"tags": [
"CWE-451: User Interface (UI) Misrepresentation of Critical Information",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities"
},
"help": {
"markdown": "User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup",
"id": "javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup",
"name": "javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine."
},
"help": {
"markdown": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection)\n - [https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security](https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security)\n",
"text": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection",
"id": "javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection",
"name": "javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile"
},
"help": {
"markdown": "Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash)\n - [https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile](https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile)\n",
"text": "Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash",
"id": "javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash",
"name": "javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload."
},
"help": {
"markdown": "The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data",
"id": "javascript.jose.security.audit.jose-exposed-data.jose-exposed-data",
"name": "javascript.jose.security.audit.jose-exposed-data.jose-exposed-data",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.jose.security.audit.jose-exposed-data.jose-exposed-data"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret",
"id": "javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret",
"name": "javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027."
},
"help": {
"markdown": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg",
"id": "javascript.jose.security.jwt-none-alg.jwt-none-alg",
"name": "javascript.jose.security.jwt-none-alg.jwt-none-alg",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.jose.security.jwt-none-alg.jwt-none-alg"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token."
},
"help": {
"markdown": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
"text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify",
"id": "javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify",
"name": "javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify",
"properties": {
"precision": "very-high",
"tags": [
"CWE-345: Insufficient Verification of Data Authenticity",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload."
},
"help": {
"markdown": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data",
"id": "javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data",
"name": "javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret",
"id": "javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret",
"name": "javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027."
},
"help": {
"markdown": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg",
"id": "javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg",
"name": "javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set \u0027verify\u0027 to `true` before using the token."
},
"help": {
"markdown": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set \u0027verify\u0027 to `true` before using the token.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify)\n - [https://www.npmjs.com/package/jwt-simple](https://www.npmjs.com/package/jwt-simple)\n - [https://cwe.mitre.org/data/definitions/287](https://cwe.mitre.org/data/definitions/287)\n - [https://cwe.mitre.org/data/definitions/345](https://cwe.mitre.org/data/definitions/345)\n - [https://cwe.mitre.org/data/definitions/347](https://cwe.mitre.org/data/definitions/347)\n",
"text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set \u0027verify\u0027 to `true` before using the token.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify",
"id": "javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify",
"name": "javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"CWE-345: Insufficient Verification of Data Authenticity",
"CWE-347: Improper Verification of Cryptographic Signature",
"HIGH CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible."
},
"help": {
"markdown": "Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.code-string-concat.code-string-concat)\n - [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval)\n - [https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback](https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback)\n - [https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/](https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/)\n - [https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html](https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html)\n",
"text": "Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.code-string-concat.code-string-concat",
"id": "javascript.lang.security.audit.code-string-concat.code-string-concat",
"name": "javascript.lang.security.audit.code-string-concat.code-string-concat",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.code-string-concat.code-string-concat"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability."
},
"help": {
"markdown": "Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions)\n",
"text": "Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell",
"id": "javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell",
"name": "javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS."
},
"help": {
"markdown": "RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n",
"text": "RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"id": "javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"name": "javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1333: Inefficient Regular Expression Complexity",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable."
},
"help": {
"markdown": "Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key)\n - [https://rules.sonarsource.com/javascript/RSPEC-2068](https://rules.sonarsource.com/javascript/RSPEC-2068)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#key-management](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#key-management)\n",
"text": "Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key",
"id": "javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key",
"name": "javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "`$STR.replace` method will only replace the first occurrence when used with a string argument ($CHAR). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag."
},
"help": {
"markdown": "`$STR.replace` method will only replace the first occurrence when used with a string argument ($CHAR). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "`$STR.replace` method will only replace the first occurrence when used with a string argument ($CHAR). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization",
"id": "javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization",
"name": "javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-116: Improper Encoding or Escaping of Output",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` node.js package."
},
"help": {
"markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` node.js package.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://www.npmjs.com/package/bcrypt](https://www.npmjs.com/package/bcrypt)\n",
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` node.js package.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.md5-used-as-password.md5-used-as-password",
"id": "javascript.lang.security.audit.md5-used-as-password.md5-used-as-password",
"name": "javascript.lang.security.audit.md5-used-as-password.md5-used-as-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.md5-used-as-password.md5-used-as-password"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first."
},
"help": {
"markdown": "Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n",
"text": "Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal",
"id": "javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal",
"name": "javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object."
},
"help": {
"markdown": "Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop)\n - [https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n",
"text": "Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop",
"id": "javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop",
"name": "javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found \u0027$SPAWN\u0027 with \u0027{shell: $SHELL}\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027{shell: false}\u0027 instead."
},
"help": {
"markdown": "Found \u0027$SPAWN\u0027 with \u0027{shell: $SHELL}\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027{shell: false}\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.spawn-shell-true.spawn-shell-true)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Found \u0027$SPAWN\u0027 with \u0027{shell: $SHELL}\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027{shell: false}\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.spawn-shell-true.spawn-shell-true",
"id": "javascript.lang.security.audit.spawn-shell-true.spawn-shell-true",
"name": "javascript.lang.security.audit.spawn-shell-true.spawn-shell-true",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.spawn-shell-true.spawn-shell-true"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])` can help prevent SQLi."
},
"help": {
"markdown": "Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])` can help prevent SQLi.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli)\n - [https://knexjs.org/#Builder-fromRaw](https://knexjs.org/#Builder-fromRaw)\n - [https://knexjs.org/#Builder-whereRaw](https://knexjs.org/#Builder-whereRaw)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n",
"text": "Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])` can help prevent SQLi.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli",
"id": "javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli",
"name": "javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input(\u0027USER_ID\u0027, mssql.Int, id);`"
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input(\u0027USER_ID\u0027, mssql.Int, id);`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli)\n - [https://www.npmjs.com/package/mssql](https://www.npmjs.com/package/mssql)\n",
"text": "Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input(\u0027USER_ID\u0027, mssql.Int, id);`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli",
"id": "javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli",
"name": "javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."
},
"help": {
"markdown": "Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli)\n - [https://www.npmjs.com/package/mysql2](https://www.npmjs.com/package/mysql2)\n - [https://www.npmjs.com/package/mysql](https://www.npmjs.com/package/mysql)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n",
"text": "Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli",
"id": "javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli",
"name": "javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a node-postgres JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `client.query(\u0027SELECT $1 from table\u0027, [userinput])`"
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a node-postgres JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `client.query(\u0027SELECT $1 from table\u0027, [userinput])`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli)\n - [https://node-postgres.com/features/queries](https://node-postgres.com/features/queries)\n",
"text": "Detected string concatenation with a non-literal variable in a node-postgres JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `client.query(\u0027SELECT $1 from table\u0027, [userinput])`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli",
"id": "javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli",
"name": "javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Cannot determine what \u0027$UNK\u0027 is and it is used with a \u0027\u003cscript\u003e\u0027 tag. This could be susceptible to cross-site scripting (XSS). Ensure \u0027$UNK\u0027 is not externally controlled, or sanitize this data."
},
"help": {
"markdown": "Cannot determine what \u0027$UNK\u0027 is and it is used with a \u0027\u003cscript\u003e\u0027 tag. This could be susceptible to cross-site scripting (XSS). Ensure \u0027$UNK\u0027 is not externally controlled, or sanitize this data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag)\n - [https://www.developsec.com/2017/11/09/xss-in-a-script-tag/](https://www.developsec.com/2017/11/09/xss-in-a-script-tag/)\n - [https://github.com/juice-shop/juice-shop/blob/1ceb8751e986dacd3214a618c37e7411be6bc11a/routes/videoHandler.ts#L68](https://github.com/juice-shop/juice-shop/blob/1ceb8751e986dacd3214a618c37e7411be6bc11a/routes/videoHandler.ts#L68)\n",
"text": "Cannot determine what \u0027$UNK\u0027 is and it is used with a \u0027\u003cscript\u003e\u0027 tag. This could be susceptible to cross-site scripting (XSS). Ensure \u0027$UNK\u0027 is not externally controlled, or sanitize this data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag",
"id": "javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag",
"name": "javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string."
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring)\n - [https://cwe.mitre.org/data/definitions/134.html](https://cwe.mitre.org/data/definitions/134.html)\n",
"text": "Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring",
"id": "javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring",
"name": "javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring",
"properties": {
"precision": "very-high",
"tags": [
"CWE-134: Use of Externally-Controlled Format String",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer."
},
"help": {
"markdown": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert)\n - [https://cwe.mitre.org/data/definitions/119.html](https://cwe.mitre.org/data/definitions/119.html)\n",
"text": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert",
"id": "javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert",
"name": "javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert",
"properties": {
"precision": "very-high",
"tags": [
"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. "
},
"help": {
"markdown": "Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. \n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-child-process.detect-child-process)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions)\n",
"text": "Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. \n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-child-process.detect-child-process",
"id": "javascript.lang.security.detect-child-process.detect-child-process",
"name": "javascript.lang.security.detect-child-process.detect-child-process",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.detect-child-process.detect-child-process"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks."
},
"help": {
"markdown": "Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape",
"id": "javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape",
"name": "javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape",
"properties": {
"precision": "very-high",
"tags": [
"CWE-116: Improper Encoding or Escaping of Output",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input."
},
"help": {
"markdown": "Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression)\n - [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)\n",
"text": "Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression",
"id": "javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression",
"name": "javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections."
},
"help": {
"markdown": "Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket",
"id": "javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket",
"name": "javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later."
},
"help": {
"markdown": "Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override)\n - [https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/bypass-connect-csrf-protection-by-abusing.md](https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/bypass-connect-csrf-protection-by-abusing.md)\n",
"text": "Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override",
"id": "javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override",
"name": "javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers."
},
"help": {
"markdown": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes",
"id": "javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes",
"name": "javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes",
"properties": {
"precision": "very-high",
"tags": [
"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability."
},
"help": {
"markdown": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\n - [https://en.wikipedia.org/wiki/Mass_assignment_vulnerability](https://en.wikipedia.org/wiki/Mass_assignment_vulnerability)\n",
"text": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign",
"id": "javascript.lang.security.insecure-object-assign.insecure-object-assign",
"name": "javascript.lang.security.insecure-object-assign.insecure-object-assign",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.insecure-object-assign.insecure-object-assign"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone \u0027ext::sh -c whoami% \u003e\u00262\u0027 will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input."
},
"help": {
"markdown": "Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone \u0027ext::sh -c whoami% \u003e\u00262\u0027 will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.spawn-git-clone.spawn-git-clone)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone \u0027ext::sh -c whoami% \u003e\u00262\u0027 will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.spawn-git-clone.spawn-git-clone",
"id": "javascript.lang.security.spawn-git-clone.spawn-git-clone",
"name": "javascript.lang.security.spawn-git-clone.spawn-git-clone",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.spawn-git-clone.spawn-git-clone"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input."
},
"help": {
"markdown": "If user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport)\n - [https://github.com/microsoft/monaco-editor/issues/801](https://github.com/microsoft/monaco-editor/issues/801)\n",
"text": "If user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport",
"id": "javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport",
"name": "javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The \u0027final\u0027 call of a Decipher object checks the authentication tag in a mode for authenticated encryption. Failing to call \u0027final\u0027 will invalidate all integrity guarantees of the released ciphertext."
},
"help": {
"markdown": "The \u0027final\u0027 call of a Decipher object checks the authentication tag in a mode for authenticated encryption. Failing to call \u0027final\u0027 will invalidate all integrity guarantees of the released ciphertext.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.aead-no-final.aead-no-final)\n - [https://nodejs.org/api/crypto.html#deciphersetauthtagbuffer-encoding](https://nodejs.org/api/crypto.html#deciphersetauthtagbuffer-encoding)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n",
"text": "The \u0027final\u0027 call of a Decipher object checks the authentication tag in a mode for authenticated encryption. Failing to call \u0027final\u0027 will invalidate all integrity guarantees of the released ciphertext.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.node-crypto.security.aead-no-final.aead-no-final",
"id": "javascript.node-crypto.security.aead-no-final.aead-no-final",
"name": "javascript.node-crypto.security.aead-no-final.aead-no-final",
"properties": {
"precision": "very-high",
"tags": [
"CWE-310: CWE CATEGORY: Cryptographic Issues",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.node-crypto.security.aead-no-final.aead-no-final"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The deprecated functions \u0027createCipher\u0027 and \u0027createDecipher\u0027 generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they\u0027re not completely broken. Use \u0027createCipheriv\u0027 or \u0027createDecipheriv\u0027 instead."
},
"help": {
"markdown": "The deprecated functions \u0027createCipher\u0027 and \u0027createDecipher\u0027 generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they\u0027re not completely broken. Use \u0027createCipheriv\u0027 or \u0027createDecipheriv\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv)\n - [https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options)\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options)\n",
"text": "The deprecated functions \u0027createCipher\u0027 and \u0027createDecipher\u0027 generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they\u0027re not completely broken. Use \u0027createCipheriv\u0027 or \u0027createDecipheriv\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv",
"id": "javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv",
"name": "javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1204: Generation of Weak Initialization Vector (IV)",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The call to \u0027createDecipheriv\u0027 with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries."
},
"help": {
"markdown": "The call to \u0027createDecipheriv\u0027 with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length)\n - [https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/](https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/)\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options](https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n",
"text": "The call to \u0027createDecipheriv\u0027 with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length",
"id": "javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length",
"name": "javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length",
"properties": {
"precision": "very-high",
"tags": [
"CWE-310: CWE CATEGORY: Cryptographic Issues",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
"text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe",
"id": "javascript.node-expat.security.audit.expat-xxe.expat-xxe",
"name": "javascript.node-expat.security.audit.expat-xxe.expat-xxe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"LOW CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.node-expat.security.audit.expat-xxe.expat-xxe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret",
"id": "javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret",
"name": "javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection",
"id": "javascript.phantom.security.audit.phantom-injection.phantom-injection",
"name": "javascript.phantom.security.audit.phantom-injection.phantom-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.phantom.security.audit.phantom-injection.phantom-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection",
"id": "javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection",
"name": "javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection",
"id": "javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection",
"name": "javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection",
"id": "javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection",
"name": "javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk."
},
"help": {
"markdown": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools",
"id": "javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools",
"name": "javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection",
"id": "javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection",
"name": "javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection",
"id": "javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection",
"name": "javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection",
"id": "javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection",
"name": "javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection",
"id": "javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection",
"name": "javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk."
},
"help": {
"markdown": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools",
"id": "javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools",
"name": "javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection",
"id": "javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection",
"name": "javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection",
"id": "javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection",
"name": "javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Make sure that unverified user data can not reach `sandbox`."
},
"help": {
"markdown": "Make sure that unverified user data can not reach `sandbox`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Make sure that unverified user data can not reach `sandbox`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection",
"id": "javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection",
"name": "javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use of \u0027ondoctype\u0027 in \u0027sax\u0027 library detected. By default, \u0027sax\u0027 won\u0027t do anything with custom DTD entity definitions. If you\u0027re implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML."
},
"help": {
"markdown": "Use of \u0027ondoctype\u0027 in \u0027sax\u0027 library detected. By default, \u0027sax\u0027 won\u0027t do anything with custom DTD entity definitions. If you\u0027re implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sax.security.audit.sax-xxe.sax-xxe)\n - [https://github.com/Leonidas-from-XIV/node-xml2js/issues/415](https://github.com/Leonidas-from-XIV/node-xml2js/issues/415)\n - [https://github.com/isaacs/sax-js](https://github.com/isaacs/sax-js)\n",
"text": "Use of \u0027ondoctype\u0027 in \u0027sax\u0027 library detected. By default, \u0027sax\u0027 won\u0027t do anything with custom DTD entity definitions. If you\u0027re implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.sax.security.audit.sax-xxe.sax-xxe",
"id": "javascript.sax.security.audit.sax-xxe.sax-xxe",
"name": "javascript.sax.security.audit.sax-xxe.sax-xxe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"LOW CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.sax.security.audit.sax-xxe.sax-xxe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\""
},
"help": {
"markdown": "If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\"\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n - [https://nodejs.org/api/tls.html#tls_tls_default_min_version](https://nodejs.org/api/tls.html#tls_tls_default_min_version)\n",
"text": "If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\"\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls",
"id": "javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls",
"name": "javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."
},
"help": {
"markdown": "Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection)\n - [https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements](https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements)\n",
"text": "Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection",
"id": "javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection",
"name": "javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious."
},
"help": {
"markdown": "Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n",
"text": "Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation",
"id": "javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation",
"name": "javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious."
},
"help": {
"markdown": "TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n - [https://nodejs.org/api/tls.html#tls_tls_default_min_version](https://nodejs.org/api/tls.html#tls_tls_default_min_version)\n",
"text": "TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version",
"id": "javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version",
"name": "javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "`serialize-javascript` used with `unsafe` parameter, this could be vulnerable to XSS."
},
"help": {
"markdown": "`serialize-javascript` used with `unsafe` parameter, this could be vulnerable to XSS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "`serialize-javascript` used with `unsafe` parameter, this could be vulnerable to XSS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript",
"id": "javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript",
"name": "javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript",
"properties": {
"precision": "very-high",
"tags": [
"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "If unverified user data can reach the `exec` method it can result in Remote Code Execution"
},
"help": {
"markdown": "If unverified user data can reach the `exec` method it can result in Remote Code Execution\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "If unverified user data can reach the `exec` method it can result in Remote Code Execution\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection",
"id": "javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection",
"name": "javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Potential arbitrary code execution, piped to eval"
},
"help": {
"markdown": "Potential arbitrary code execution, piped to eval\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Potential arbitrary code execution, piped to eval\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution",
"id": "javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution",
"name": "javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Make sure that unverified user data can not reach `vm2`."
},
"help": {
"markdown": "Make sure that unverified user data can not reach `vm2`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Make sure that unverified user data can not reach `vm2`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection",
"id": "javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection",
"name": "javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Make sure that unverified user data can not reach `vm2`."
},
"help": {
"markdown": "Make sure that unverified user data can not reach `vm2`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Make sure that unverified user data can not reach `vm2`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection",
"id": "javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection",
"name": "javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content."
},
"help": {
"markdown": "Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html)\n - [https://vuejs.org/v2/guide/syntax.html#Raw-HTML](https://vuejs.org/v2/guide/syntax.html#Raw-HTML)\n",
"text": "Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html",
"id": "javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html",
"name": "javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `wkhtmltoimage` it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `wkhtmltoimage` it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `wkhtmltoimage` it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection",
"id": "javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection",
"name": "javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection",
"id": "javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection",
"name": "javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
"text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe",
"id": "javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe",
"name": "javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"LOW CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values."
},
"help": {
"markdown": "Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)\n",
"text": "Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket",
"id": "json.aws.security.public-s3-bucket.public-s3-bucket",
"name": "json.aws.security.public-s3-bucket.public-s3-bucket",
"properties": {
"precision": "very-high",
"tags": [
"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: json.aws.security.public-s3-bucket.public-s3-bucket"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket."
},
"help": {
"markdown": "Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.public-s3-policy-statement.public-s3-policy-statement)\n - [https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html)\n",
"text": "Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/json.aws.security.public-s3-policy-statement.public-s3-policy-statement",
"id": "json.aws.security.public-s3-policy-statement.public-s3-policy-statement",
"name": "json.aws.security.public-s3-policy-statement.public-s3-policy-statement",
"properties": {
"precision": "very-high",
"tags": [
"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: json.aws.security.public-s3-policy-statement.public-s3-policy-statement"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`."
},
"help": {
"markdown": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role)\n - [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/)\n",
"text": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role",
"id": "json.aws.security.wildcard-assume-role.wildcard-assume-role",
"name": "json.aws.security.wildcard-assume-role.wildcard-assume-role",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: json.aws.security.wildcard-assume-role.wildcard-assume-role"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."
},
"help": {
"markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded",
"id": "kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded",
"name": "kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information."
},
"help": {
"markdown": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind",
"id": "kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind",
"name": "kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\"%02X\", ...)\u0027 instead."
},
"help": {
"markdown": "\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\"%02X\", ...)\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion)\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\n",
"text": "\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\"%02X\", ...)\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion",
"id": "kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion",
"name": "kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion",
"properties": {
"precision": "very-high",
"tags": [
"CWE-704: Incorrect Type Conversion or Cast",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."
},
"help": {
"markdown": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call",
"id": "kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call",
"name": "kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027"
},
"help": {
"markdown": "A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
"text": "A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly",
"id": "kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly",
"name": "kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027"
},
"help": {
"markdown": "A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
"text": "A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag",
"id": "kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag",
"name": "kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2."
},
"help": {
"markdown": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated",
"id": "kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated",
"name": "kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY."
},
"help": {
"markdown": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.ecb-cipher.ecb-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.ecb-cipher.ecb-cipher",
"id": "kotlin.lang.security.ecb-cipher.ecb-cipher",
"name": "kotlin.lang.security.ecb-cipher.ecb-cipher",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.ecb-cipher.ecb-cipher"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted."
},
"help": {
"markdown": "GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.gcm-detection.gcm-detection)\n - [https://cwe.mitre.org/data/definitions/323.html](https://cwe.mitre.org/data/definitions/323.html)\n",
"text": "GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.gcm-detection.gcm-detection",
"id": "kotlin.lang.security.gcm-detection.gcm-detection",
"name": "kotlin.lang.security.gcm-detection.gcm-detection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-323: Reusing a Nonce, Key Pair in Encryption",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.gcm-detection.gcm-detection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
},
"help": {
"markdown": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher",
"id": "kotlin.lang.security.no-null-cipher.no-null-cipher",
"name": "kotlin.lang.security.no-null-cipher.no-null-cipher",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.no-null-cipher.no-null-cipher"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead"
},
"help": {
"markdown": "This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket",
"id": "kotlin.lang.security.unencrypted-socket.unencrypted-socket",
"name": "kotlin.lang.security.unencrypted-socket.unencrypted-socket",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.unencrypted-socket.unencrypted-socket"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
},
"help": {
"markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5",
"id": "kotlin.lang.security.use-of-md5.use-of-md5",
"name": "kotlin.lang.security.use-of-md5.use-of-md5",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.use-of-md5.use-of-md5"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
},
"help": {
"markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.use-of-sha1.use-of-sha1)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.use-of-sha1.use-of-sha1",
"id": "kotlin.lang.security.use-of-sha1.use-of-sha1",
"name": "kotlin.lang.security.use-of-sha1.use-of-sha1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.use-of-sha1.use-of-sha1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "RSA keys should be at least 2048 bits based on NIST recommendation."
},
"help": {
"markdown": "RSA keys should be at least 2048 bits based on NIST recommendation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.weak-rsa.use-of-weak-rsa-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n",
"text": "RSA keys should be at least 2048 bits based on NIST recommendation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.weak-rsa.use-of-weak-rsa-key",
"id": "kotlin.lang.security.weak-rsa.use-of-weak-rsa-key",
"name": "kotlin.lang.security.weak-rsa.use-of-weak-rsa-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.weak-rsa.use-of-weak-rsa-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Pervasives is deprecated and will not be available after 4.10. Use Stdlib."
},
"help": {
"markdown": "Pervasives is deprecated and will not be available after 4.10. Use Stdlib.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.compatibility.deprecated.deprecated-pervasives)\n",
"text": "Pervasives is deprecated and will not be available after 4.10. Use Stdlib.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ocaml.lang.compatibility.deprecated.deprecated-pervasives",
"id": "ocaml.lang.compatibility.deprecated.deprecated-pervasives",
"name": "ocaml.lang.compatibility.deprecated.deprecated-pervasives",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: ocaml.lang.compatibility.deprecated.deprecated-pervasives"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027input_line\u0027 leaves a \u0027\\r\u0027 (CR) character when reading lines from a Windows text file, whose lines end in \"\\r\\n\" (CRLF). This is a problem for any Windows file that is being read either on a Unix-like platform or on Windows in binary mode. If the code already takes care of removing any trailing \u0027\\r\u0027 after reading the line, add a \u0027(* nosemgrep *)\u0027 comment to disable this warning."
},
"help": {
"markdown": "\u0027input_line\u0027 leaves a \u0027\\r\u0027 (CR) character when reading lines from a Windows text file, whose lines end in \"\\r\\n\" (CRLF). This is a problem for any Windows file that is being read either on a Unix-like platform or on Windows in binary mode. If the code already takes care of removing any trailing \u0027\\r\u0027 after reading the line, add a \u0027(* nosemgrep *)\u0027 comment to disable this warning.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.crlf-support.broken-input-line)\n",
"text": "\u0027input_line\u0027 leaves a \u0027\\r\u0027 (CR) character when reading lines from a Windows text file, whose lines end in \"\\r\\n\" (CRLF). This is a problem for any Windows file that is being read either on a Unix-like platform or on Windows in binary mode. If the code already takes care of removing any trailing \u0027\\r\u0027 after reading the line, add a \u0027(* nosemgrep *)\u0027 comment to disable this warning.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ocaml.lang.portability.crlf-support.broken-input-line",
"id": "ocaml.lang.portability.crlf-support.broken-input-line",
"name": "ocaml.lang.portability.crlf-support.broken-input-line",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: ocaml.lang.portability.crlf-support.broken-input-line"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027open_in\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_in_bin\u0027 or \u0027open_in_gen [Open_binary]\u0027. If you really want CRLF-to-LF translations to take place when running on Windows, use \u0027open_in_gen [Open_text]\u0027."
},
"help": {
"markdown": "\u0027open_in\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_in_bin\u0027 or \u0027open_in_gen [Open_binary]\u0027. If you really want CRLF-to-LF translations to take place when running on Windows, use \u0027open_in_gen [Open_text]\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode)\n",
"text": "\u0027open_in\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_in_bin\u0027 or \u0027open_in_gen [Open_binary]\u0027. If you really want CRLF-to-LF translations to take place when running on Windows, use \u0027open_in_gen [Open_text]\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode",
"id": "ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode",
"name": "ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027open_out\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_out_bin\u0027 or \u0027open_out_gen [Open_binary]\u0027. If you really want LF-to-CRLF translations to take place when running on Windows, use \u0027open_out_gen [Open_text]\u0027."
},
"help": {
"markdown": "\u0027open_out\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_out_bin\u0027 or \u0027open_out_gen [Open_binary]\u0027. If you really want LF-to-CRLF translations to take place when running on Windows, use \u0027open_out_gen [Open_text]\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode)\n",
"text": "\u0027open_out\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_out_bin\u0027 or \u0027open_out_gen [Open_binary]\u0027. If you really want LF-to-CRLF translations to take place when running on Windows, use \u0027open_out_gen [Open_text]\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode",
"id": "ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode",
"name": "ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "You should probably use Filename.get_temp_dirname()."
},
"help": {
"markdown": "You should probably use Filename.get_temp_dirname().\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string)\n",
"text": "You should probably use Filename.get_temp_dirname().\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string",
"id": "ocaml.lang.portability.slash-tmp.not-portable-tmp-string",
"name": "ocaml.lang.portability.slash-tmp.not-portable-tmp-string",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: ocaml.lang.portability.slash-tmp.not-portable-tmp-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Unsafe functions do not perform boundary checks or have other side effects, use with care."
},
"help": {
"markdown": "Unsafe functions do not perform boundary checks or have other side effects, use with care.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.security.unsafe.ocamllint-unsafe)\n - [https://v2.ocaml.org/api/Bigarray.Array1.html#VALunsafe_get](https://v2.ocaml.org/api/Bigarray.Array1.html#VALunsafe_get)\n - [https://v2.ocaml.org/api/Bytes.html#VALunsafe_to_string](https://v2.ocaml.org/api/Bytes.html#VALunsafe_to_string)\n",
"text": "Unsafe functions do not perform boundary checks or have other side effects, use with care.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ocaml.lang.security.unsafe.ocamllint-unsafe",
"id": "ocaml.lang.security.unsafe.ocamllint-unsafe",
"name": "ocaml.lang.security.unsafe.ocamllint-unsafe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-242: Use of Inherently Dangerous Function (4.12)",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ocaml.lang.security.unsafe.ocamllint-unsafe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a Doctrine DBAL query method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead."
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a Doctrine DBAL query method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query)\n - [https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/security.html](https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/security.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n",
"text": "Detected string concatenation with a non-literal variable in a Doctrine DBAL query method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query",
"id": "php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query",
"name": "php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead."
},
"help": {
"markdown": "`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query)\n - [https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/query-builder.html#security-safely-preventing-sql-injection](https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/query-builder.html#security-safely-preventing-sql-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n",
"text": "`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query",
"id": "php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query",
"name": "php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Calling assert with user input is equivalent to eval\u0027ing."
},
"help": {
"markdown": "Calling assert with user input is equivalent to eval\u0027ing.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.assert-use.assert-use)\n - [https://www.php.net/manual/en/function.assert](https://www.php.net/manual/en/function.assert)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/AssertsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/AssertsSniff.php)\n",
"text": "Calling assert with user input is equivalent to eval\u0027ing.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.assert-use.assert-use",
"id": "php.lang.security.assert-use.assert-use",
"name": "php.lang.security.assert-use.assert-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.assert-use.assert-use"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`."
},
"help": {
"markdown": "The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate)\n - [https://www.php.net/manual/en/function.openssl-decrypt.php](https://www.php.net/manual/en/function.openssl-decrypt.php)\n",
"text": "The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate",
"id": "php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate",
"name": "php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate",
"properties": {
"precision": "very-high",
"tags": [
"CWE-252: Unchecked Return Value",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security."
},
"help": {
"markdown": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.audit.sha224-hash.sha224-hash)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\n",
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.audit.sha224-hash.sha224-hash",
"id": "php.lang.security.audit.sha224-hash.sha224-hash",
"name": "php.lang.security.audit.sha224-hash.sha224-hash",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.audit.sha224-hash.sha224-hash"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Backticks use may lead to command injection vulnerabilities."
},
"help": {
"markdown": "Backticks use may lead to command injection vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.backticks-use.backticks-use)\n - [https://www.php.net/manual/en/language.operators.execution.php](https://www.php.net/manual/en/language.operators.execution.php)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/BackticksSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/BackticksSniff.php)\n",
"text": "Backticks use may lead to command injection vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.backticks-use.backticks-use",
"id": "php.lang.security.backticks-use.backticks-use",
"name": "php.lang.security.backticks-use.backticks-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.backticks-use.backticks-use"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens."
},
"help": {
"markdown": "The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.base-convert-loses-precision.base-convert-loses-precision)\n - [https://www.php.net/base_convert](https://www.php.net/base_convert)\n - [https://www.sjoerdlangkemper.nl/2017/03/15/dont-use-base-convert-on-random-tokens/](https://www.sjoerdlangkemper.nl/2017/03/15/dont-use-base-convert-on-random-tokens/)\n",
"text": "The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.base-convert-loses-precision.base-convert-loses-precision",
"id": "php.lang.security.base-convert-loses-precision.base-convert-loses-precision",
"name": "php.lang.security.base-convert-loses-precision.base-convert-loses-precision",
"properties": {
"precision": "very-high",
"tags": [
"CWE-190: Integer Overflow or Wraparound",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.base-convert-loses-precision.base-convert-loses-precision"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)"
},
"help": {
"markdown": "SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off)\n - [https://www.saotn.org/dont-turn-off-curlopt_ssl_verifypeer-fix-php-configuration/](https://www.saotn.org/dont-turn-off-curlopt_ssl_verifypeer-fix-php-configuration/)\n",
"text": "SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off",
"id": "php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off",
"name": "php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Do not call \u0027extract()\u0027 on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables."
},
"help": {
"markdown": "Do not call \u0027extract()\u0027 on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.deserialization.extract-user-data)\n - [https://www.php.net/manual/en/function.extract.php#refsect1-function.extract-notes](https://www.php.net/manual/en/function.extract.php#refsect1-function.extract-notes)\n",
"text": "Do not call \u0027extract()\u0027 on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.deserialization.extract-user-data",
"id": "php.lang.security.deserialization.extract-user-data",
"name": "php.lang.security.deserialization.extract-user-data",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.deserialization.extract-user-data"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Evaluating non-constant commands. This can lead to command injection."
},
"help": {
"markdown": "Evaluating non-constant commands. This can lead to command injection.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.eval-use.eval-use)\n - [https://www.php.net/manual/en/function.eval](https://www.php.net/manual/en/function.eval)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php)\n",
"text": "Evaluating non-constant commands. This can lead to command injection.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.eval-use.eval-use",
"id": "php.lang.security.eval-use.eval-use",
"name": "php.lang.security.eval-use.eval-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.eval-use.eval-use"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Executing non-constant commands. This can lead to command injection."
},
"help": {
"markdown": "Executing non-constant commands. This can lead to command injection.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.exec-use.exec-use)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/SystemExecFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/SystemExecFunctionsSniff.php)\n",
"text": "Executing non-constant commands. This can lead to command injection.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.exec-use.exec-use",
"id": "php.lang.security.exec-use.exec-use",
"name": "php.lang.security.exec-use.exec-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.exec-use.exec-use"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "FTP allows for unencrypted file transfers. Consider using an encrypted alternative."
},
"help": {
"markdown": "FTP allows for unencrypted file transfers. Consider using an encrypted alternative.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use)\n - [https://www.php.net/manual/en/intro.ftp.php](https://www.php.net/manual/en/intro.ftp.php)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php)\n",
"text": "FTP allows for unencrypted file transfers. Consider using an encrypted alternative.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use",
"id": "php.lang.security.ftp-use.ftp-use",
"name": "php.lang.security.ftp-use.ftp-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.ftp-use.ftp-use"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "`Printing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users."
},
"help": {
"markdown": "`Printing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.printed-request.printed-request)\n - [https://www.php.net/manual/en/function.htmlentities.php](https://www.php.net/manual/en/function.htmlentities.php)\n - [https://www.php.net/manual/en/reserved.variables.request.php](https://www.php.net/manual/en/reserved.variables.request.php)\n - [https://www.php.net/manual/en/reserved.variables.post.php](https://www.php.net/manual/en/reserved.variables.post.php)\n - [https://www.php.net/manual/en/reserved.variables.get.php](https://www.php.net/manual/en/reserved.variables.get.php)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n",
"text": "`Printing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.injection.printed-request.printed-request",
"id": "php.lang.security.injection.printed-request.printed-request",
"name": "php.lang.security.injection.printed-request.printed-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.injection.printed-request.printed-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Callable based on user input risks remote code execution."
},
"help": {
"markdown": "Callable based on user input risks remote code execution.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-callable.tainted-callable)\n - [https://www.php.net/manual/en/language.types.callable.php](https://www.php.net/manual/en/language.types.callable.php)\n",
"text": "Callable based on user input risks remote code execution.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-callable.tainted-callable",
"id": "php.lang.security.injection.tainted-callable.tainted-callable",
"name": "php.lang.security.injection.tainted-callable.tainted-callable",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.injection.tainted-callable.tainted-callable"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User input is passed to a function that executes a shell command. This can lead to remote code execution."
},
"help": {
"markdown": "User input is passed to a function that executes a shell command. This can lead to remote code execution.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-exec.tainted-exec)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "User input is passed to a function that executes a shell command. This can lead to remote code execution.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-exec.tainted-exec",
"id": "php.lang.security.injection.tainted-exec.tainted-exec",
"name": "php.lang.security.injection.tainted-exec.tainted-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.injection.tainted-exec.tainted-exec"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "File name based on user input risks server-side request forgery."
},
"help": {
"markdown": "File name based on user input risks server-side request forgery.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "File name based on user input risks server-side request forgery.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename",
"id": "php.lang.security.injection.tainted-filename.tainted-filename",
"name": "php.lang.security.injection.tainted-filename.tainted-filename",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.injection.tainted-filename.tainted-filename"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u003c- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application."
},
"help": {
"markdown": "\u003c- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "\u003c- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation",
"id": "php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation",
"name": "php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues."
},
"help": {
"markdown": "Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session)\n - [https://en.wikipedia.org/wiki/Session_poisoning](https://en.wikipedia.org/wiki/Session_poisoning)\n",
"text": "Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session",
"id": "php.lang.security.injection.tainted-session.tainted-session",
"name": "php.lang.security.injection.tainted-session.tainted-session",
"properties": {
"precision": "very-high",
"tags": [
"CWE-284: Improper Access Control",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.injection.tainted-session.tainted-session"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli-\u003eprepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library."
},
"help": {
"markdown": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli-\u003eprepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n",
"text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli-\u003eprepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string",
"id": "php.lang.security.injection.tainted-sql-string.tainted-sql-string",
"name": "php.lang.security.injection.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.injection.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."
},
"help": {
"markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host",
"id": "php.lang.security.injection.tainted-url-host.tainted-url-host",
"name": "php.lang.security.injection.tainted-url-host.tainted-url-host",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.injection.tainted-url-host.tainted-url-host"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP."
},
"help": {
"markdown": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.ldap-bind-without-password.ldap-bind-without-password)\n - [https://www.php.net/manual/en/function.ldap-bind.php](https://www.php.net/manual/en/function.ldap-bind.php)\n",
"text": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.ldap-bind-without-password.ldap-bind-without-password",
"id": "php.lang.security.ldap-bind-without-password.ldap-bind-without-password",
"name": "php.lang.security.ldap-bind-without-password.ldap-bind-without-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.ldap-bind-without-password.ldap-bind-without-password"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code."
},
"help": {
"markdown": "Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval)\n - [https://www.php.net/manual/en/function.mb-ereg-replace.php](https://www.php.net/manual/en/function.mb-ereg-replace.php)\n - [https://www.php.net/manual/en/function.mb-regex-set-options.php](https://www.php.net/manual/en/function.mb-regex-set-options.php)\n",
"text": "Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval",
"id": "php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval",
"name": "php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL."
},
"help": {
"markdown": "Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.mcrypt-use.mcrypt-use)\n - [https://www.php.net/manual/en/intro.mcrypt.php](https://www.php.net/manual/en/intro.mcrypt.php)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php)\n",
"text": "Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.mcrypt-use.mcrypt-use",
"id": "php.lang.security.mcrypt-use.mcrypt-use",
"name": "php.lang.security.mcrypt-use.mcrypt-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-676: Use of Potentially Dangerous Function",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.mcrypt-use.mcrypt-use"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues"
},
"help": {
"markdown": "Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality)\n - [https://www.php.net/manual/en/types.comparisons.php](https://www.php.net/manual/en/types.comparisons.php)\n - [https://web.archive.org/web/20210430183236/https://www.whitehatsec.com/blog/magic-hashes/](https://web.archive.org/web/20210430183236/https://www.whitehatsec.com/blog/magic-hashes/)\n",
"text": "Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality",
"id": "php.lang.security.md5-loose-equality.md5-loose-equality",
"name": "php.lang.security.md5-loose-equality.md5-loose-equality",
"properties": {
"precision": "very-high",
"tags": [
"CWE-697: Incorrect Comparison",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.md5-loose-equality.md5-loose-equality"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`."
},
"help": {
"markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://www.php.net/password_hash](https://www.php.net/password_hash)\n",
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.md5-used-as-password.md5-used-as-password",
"id": "php.lang.security.md5-used-as-password.md5-used-as-password",
"name": "php.lang.security.md5-used-as-password.md5-used-as-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.md5-used-as-password.md5-used-as-password"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data."
},
"help": {
"markdown": "Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv)\n - [https://csrc.nist.gov/publications/detail/sp/800-38a/final](https://csrc.nist.gov/publications/detail/sp/800-38a/final)\n",
"text": "Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv",
"id": "php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv",
"name": "php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv",
"properties": {
"precision": "very-high",
"tags": [
"CWE-329: Generation of Predictable IV with CBC Mode",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."
},
"help": {
"markdown": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors)\n - [https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin](https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)\n",
"text": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors",
"id": "php.lang.security.php-permissive-cors.php-permissive-cors",
"name": "php.lang.security.php-permissive-cors.php-permissive-cors",
"properties": {
"precision": "very-high",
"tags": [
"CWE-346: Origin Validation Error",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.php-permissive-cors.php-permissive-cors"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The \u0027phpinfo\u0027 function may reveal sensitive information about your environment."
},
"help": {
"markdown": "The \u0027phpinfo\u0027 function may reveal sensitive information about your environment.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.phpinfo-use.phpinfo-use)\n - [https://www.php.net/manual/en/function.phpinfo](https://www.php.net/manual/en/function.phpinfo)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/PhpinfosSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/PhpinfosSniff.php)\n",
"text": "The \u0027phpinfo\u0027 function may reveal sensitive information about your environment.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.phpinfo-use.phpinfo-use",
"id": "php.lang.security.phpinfo-use.phpinfo-use",
"name": "php.lang.security.phpinfo-use.phpinfo-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.phpinfo-use.phpinfo-use"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Executing non-constant commands. This can lead to command injection. You should use `escapeshellarg()` when using command."
},
"help": {
"markdown": "Executing non-constant commands. This can lead to command injection. You should use `escapeshellarg()` when using command.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.tainted-exec.tainted-exec)\n - [https://www.stackhawk.com/blog/php-command-injection/](https://www.stackhawk.com/blog/php-command-injection/)\n - [https://brightsec.com/blog/code-injection-php/](https://brightsec.com/blog/code-injection-php/)\n - [https://www.acunetix.com/websitesecurity/php-security-2/](https://www.acunetix.com/websitesecurity/php-security-2/)\n",
"text": "Executing non-constant commands. This can lead to command injection. You should use `escapeshellarg()` when using command.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.tainted-exec.tainted-exec",
"id": "php.lang.security.tainted-exec.tainted-exec",
"name": "php.lang.security.tainted-exec.tainted-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.tainted-exec.tainted-exec"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor could use this to modify or access files they have no right to."
},
"help": {
"markdown": "Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.unlink-use.unlink-use)\n - [https://www.php.net/manual/en/function.unlink](https://www.php.net/manual/en/function.unlink)\n - [https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html](https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html)\n",
"text": "Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.unlink-use.unlink-use",
"id": "php.lang.security.unlink-use.unlink-use",
"name": "php.lang.security.unlink-use.unlink-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.unlink-use.unlink-use"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Calling `unserialize()` with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers)."
},
"help": {
"markdown": "Calling `unserialize()` with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.unserialize-use.unserialize-use)\n - [https://www.php.net/manual/en/function.unserialize.php](https://www.php.net/manual/en/function.unserialize.php)\n - [https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization.html](https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization.html)\n",
"text": "Calling `unserialize()` with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.unserialize-use.unserialize-use",
"id": "php.lang.security.unserialize-use.unserialize-use",
"name": "php.lang.security.unserialize-use.unserialize-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.unserialize-use.unserialize-use"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "HTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation."
},
"help": {
"markdown": "HTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md)\n",
"text": "HTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection",
"id": "php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection",
"name": "php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements."
},
"help": {
"markdown": "Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection)\n - [https://laravel.com/docs/8.x/queries](https://laravel.com/docs/8.x/queries)\n",
"text": "Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection",
"id": "php.laravel.security.laravel-sql-injection.laravel-sql-injection",
"name": "php.laravel.security.laravel-sql-injection.laravel-sql-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.laravel.security.laravel-sql-injection.laravel-sql-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection."
},
"help": {
"markdown": "Found a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator)\n - [https://laravel.com/docs/9.x/validation#rule-unique](https://laravel.com/docs/9.x/validation#rule-unique)\n",
"text": "Found a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator",
"id": "php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator",
"name": "php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`."
},
"help": {
"markdown": "CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled)\n - [https://symfony.com/doc/current/security/csrf.html](https://symfony.com/doc/current/security/csrf.html)\n",
"text": "CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled",
"id": "php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled",
"name": "php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The `redirect()` method does not check its destination in any way. If you redirect to a URL provided by end-users, your application may be open to the unvalidated redirects security vulnerability. Consider using literal values or an allowlist to validate URLs."
},
"help": {
"markdown": "The `redirect()` method does not check its destination in any way. If you redirect to a URL provided by end-users, your application may be open to the unvalidated redirects security vulnerability. Consider using literal values or an allowlist to validate URLs.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect)\n - [https://symfony.com/doc/current/controller.html#redirecting](https://symfony.com/doc/current/controller.html#redirecting)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n",
"text": "The `redirect()` method does not check its destination in any way. If you redirect to a URL provided by end-users, your application may be open to the unvalidated redirects security vulnerability. Consider using literal values or an allowlist to validate URLs.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect",
"id": "php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect",
"name": "php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."
},
"help": {
"markdown": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors)\n - [https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin](https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)\n",
"text": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors",
"id": "php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors",
"name": "php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors",
"properties": {
"precision": "very-high",
"tags": [
"CWE-346: Origin Validation Error",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected usage of vulnerable functions with user input, which could lead to SSRF vulnerabilities."
},
"help": {
"markdown": "Detected usage of vulnerable functions with user input, which could lead to SSRF vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit)\n - [https://developer.wordpress.org/reference/functions/wp_safe_remote_get/](https://developer.wordpress.org/reference/functions/wp_safe_remote_get/)\n - [https://developer.wordpress.org/reference/functions/wp_remote_get/](https://developer.wordpress.org/reference/functions/wp_remote_get/)\n - [https://patchstack.com/articles/exploring-the-unpatched-wordpress-ssrf/](https://patchstack.com/articles/exploring-the-unpatched-wordpress-ssrf/)\n",
"text": "Detected usage of vulnerable functions with user input, which could lead to SSRF vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit",
"id": "php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit",
"name": "php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for disabling of TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks."
},
"help": {
"markdown": "Checks for disabling of TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification)\n - [https://stackoverflow.com/questions/12122159/how-to-do-a-https-request-with-bad-certificate](https://stackoverflow.com/questions/12122159/how-to-do-a-https-request-with-bad-certificate)\n",
"text": "Checks for disabling of TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification",
"id": "problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification",
"name": "problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detects creations of tls configuration objects with an insecure MinVersion of TLS. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities."
},
"help": {
"markdown": "Detects creations of tls configuration objects with an insecure MinVersion of TLS. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions)\n - [https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle](https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle)\n",
"text": "Detects creations of tls configuration objects with an insecure MinVersion of TLS. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions",
"id": "problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions",
"name": "problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"HIGH CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for outgoing connections to ftp servers with the ftp package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol."
},
"help": {
"markdown": "Checks for outgoing connections to ftp servers with the ftp package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request)\n - [https://godoc.org/github.com/jlaffaye/ftp#Dial](https://godoc.org/github.com/jlaffaye/ftp#Dial)\n - [https://github.com/jlaffaye/ftp](https://github.com/jlaffaye/ftp)\n",
"text": "Checks for outgoing connections to ftp servers with the ftp package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request",
"id": "problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request",
"name": "problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."
},
"help": {
"markdown": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request)\n - [https://github.com/parnurzeal/gorequest](https://github.com/parnurzeal/gorequest)\n",
"text": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request",
"id": "problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request",
"name": "problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."
},
"help": {
"markdown": "Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request)\n - [https://godoc.org/github.com/levigross/grequests#DoRegularRequest](https://godoc.org/github.com/levigross/grequests#DoRegularRequest)\n - [https://github.com/levigross/grequests](https://github.com/levigross/grequests)\n",
"text": "Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request",
"id": "problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request",
"name": "problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests sent via http.NewRequest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."
},
"help": {
"markdown": "Checks for requests sent via http.NewRequest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-customized-request.http-customized-request)\n - [https://golang.org/pkg/net/http/#NewRequest](https://golang.org/pkg/net/http/#NewRequest)\n",
"text": "Checks for requests sent via http.NewRequest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-customized-request.http-customized-request",
"id": "problem-based-packs.insecure-transport.go-stdlib.http-customized-request.http-customized-request",
"name": "problem-based-packs.insecure-transport.go-stdlib.http-customized-request.http-customized-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.http-customized-request.http-customized-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."
},
"help": {
"markdown": "Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request)\n - [https://golang.org/pkg/net/http/#Get](https://golang.org/pkg/net/http/#Get)\n",
"text": "Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request",
"id": "problem-based-packs.insecure-transport.go-stdlib.http-request.http-request",
"name": "problem-based-packs.insecure-transport.go-stdlib.http-request.http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.http-request.http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."
},
"help": {
"markdown": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request)\n - [https://godoc.org/github.com/dghubble/sling#Sling.Add](https://godoc.org/github.com/dghubble/sling#Sling.Add)\n - [https://github.com/dghubble/sling](https://github.com/dghubble/sling)\n",
"text": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request",
"id": "problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request",
"name": "problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for attempts to connect to an insecure telnet server using the package telnet. This is bad because it can lead to man in the middle attacks."
},
"help": {
"markdown": "Checks for attempts to connect to an insecure telnet server using the package telnet. This is bad because it can lead to man in the middle attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request)\n - [https://godoc.org/github.com/reiver/go-telnet](https://godoc.org/github.com/reiver/go-telnet)\n",
"text": "Checks for attempts to connect to an insecure telnet server using the package telnet. This is bad because it can lead to man in the middle attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request",
"id": "problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request",
"name": "problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks."
},
"help": {
"markdown": "Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification)\n - [https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate](https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate)\n - [https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1](https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1)\n",
"text": "Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification",
"id": "problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification",
"name": "problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for outgoing connections to ftp servers via Spring plugin ftpSessionFactory. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network."
},
"help": {
"markdown": "Checks for outgoing connections to ftp servers via Spring plugin ftpSessionFactory. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-ftp-request.spring-ftp-request)\n - [https://docs.spring.io/spring-integration/api/org/springframework/integration/ftp/session/AbstractFtpSessionFactory.html#setClientMode-int-](https://docs.spring.io/spring-integration/api/org/springframework/integration/ftp/session/AbstractFtpSessionFactory.html#setClientMode-int-)\n",
"text": "Checks for outgoing connections to ftp servers via Spring plugin ftpSessionFactory. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-ftp-request.spring-ftp-request",
"id": "problem-based-packs.insecure-transport.java-spring.spring-ftp-request.spring-ftp-request",
"name": "problem-based-packs.insecure-transport.java-spring.spring-ftp-request.spring-ftp-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-spring.spring-ftp-request.spring-ftp-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."
},
"help": {
"markdown": "Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request)\n - [https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-](https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-)\n - [https://www.baeldung.com/rest-template](https://www.baeldung.com/rest-template)\n",
"text": "Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request",
"id": "problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request",
"name": "problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for redefinitions of the checkServerTrusted function in the X509TrustManager class that disables TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks."
},
"help": {
"markdown": "Checks for redefinitions of the checkServerTrusted function in the X509TrustManager class that disables TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification)\n - [https://riptutorial.com/java/example/16517/temporarily-disable-ssl-verification--for-testing-purposes-](https://riptutorial.com/java/example/16517/temporarily-disable-ssl-verification--for-testing-purposes-)\n - [https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1](https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1)\n",
"text": "Checks for redefinitions of the checkServerTrusted function in the X509TrustManager class that disables TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification",
"id": "problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification",
"name": "problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detects direct creations of SSLConnectionSocketFactories that don\u0027t disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities."
},
"help": {
"markdown": "Detects direct creations of SSLConnectionSocketFactories that don\u0027t disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1)\n - [https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle](https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle)\n",
"text": "Detects direct creations of SSLConnectionSocketFactories that don\u0027t disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1",
"id": "problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1",
"name": "problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detects setting client protocols to insecure versions of TLS and SSL. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities."
},
"help": {
"markdown": "Detects setting client protocols to insecure versions of TLS and SSL. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2)\n - [https://stackoverflow.com/questions/26504653/is-it-possible-to-disable-sslv3-for-all-java-applications](https://stackoverflow.com/questions/26504653/is-it-possible-to-disable-sslv3-for-all-java-applications)\n",
"text": "Detects setting client protocols to insecure versions of TLS and SSL. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2",
"id": "problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2",
"name": "problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network."
},
"help": {
"markdown": "Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request)\n - [https://www.codejava.net/java-se/ftp/connect-and-login-to-a-ftp-server](https://www.codejava.net/java-se/ftp/connect-and-login-to-a-ftp-server)\n - [https://commons.apache.org/proper/commons-net/apidocs/org/apache/commons/net/ftp/FTPClient.html](https://commons.apache.org/proper/commons-net/apidocs/org/apache/commons/net/ftp/FTPClient.html)\n",
"text": "Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request",
"id": "problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request",
"name": "problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests sent via Apache HTTP Components to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."
},
"help": {
"markdown": "Checks for requests sent via Apache HTTP Components to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request)\n - [https://hc.apache.org/httpcomponents-client-ga/quickstart.html](https://hc.apache.org/httpcomponents-client-ga/quickstart.html)\n",
"text": "Checks for requests sent via Apache HTTP Components to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request",
"id": "problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request",
"name": "problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."
},
"help": {
"markdown": "Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request)\n - [https://openjdk.java.net/groups/net/httpclient/intro.html](https://openjdk.java.net/groups/net/httpclient/intro.html)\n",
"text": "Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request",
"id": "problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request",
"name": "problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS."
},
"help": {
"markdown": "Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request)\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html)\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection()](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection())\n",
"text": "Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request",
"id": "problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request",
"name": "problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an HTTP request sent via HttpURLConnection. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS."
},
"help": {
"markdown": "Detected an HTTP request sent via HttpURLConnection. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request)\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html)\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection()](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection())\n",
"text": "Detected an HTTP request sent via HttpURLConnection. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request",
"id": "problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request",
"name": "problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Insecure transport rules to catch socket connections to http, telnet, and ftp servers. This is dangerous because these are protocols that do not encrypt traffic."
},
"help": {
"markdown": "Insecure transport rules to catch socket connections to http, telnet, and ftp servers. This is dangerous because these are protocols that do not encrypt traffic.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request)\n - [https://docs.oracle.com/javase/8/docs/api/java/net/Socket.html](https://docs.oracle.com/javase/8/docs/api/java/net/Socket.html)\n",
"text": "Insecure transport rules to catch socket connections to http, telnet, and ftp servers. This is dangerous because these are protocols that do not encrypt traffic.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request",
"id": "problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request",
"name": "problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."
},
"help": {
"markdown": "Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request)\n - [https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html](https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html)\n",
"text": "Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request",
"id": "problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request",
"name": "problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection."
},
"help": {
"markdown": "Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation)\n - [https://www.oracle.com/java/technologies/javase/tlsreadme.html](https://www.oracle.com/java/technologies/javase/tlsreadme.html)\n",
"text": "Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation",
"id": "problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation",
"name": "problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests sent via Unirest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."
},
"help": {
"markdown": "Checks for requests sent via Unirest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.unirest-http-request.unirest-http-request)\n - [https://kong.github.io/unirest-java/#requests](https://kong.github.io/unirest-java/#requests)\n",
"text": "Checks for requests sent via Unirest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.unirest-http-request.unirest-http-request",
"id": "problem-based-packs.insecure-transport.java-stdlib.unirest-http-request.unirest-http-request",
"name": "problem-based-packs.insecure-transport.java-stdlib.unirest-http-request.unirest-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.unirest-http-request.unirest-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used."
},
"help": {
"markdown": "Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification)\n - [https://nodejs.org/api/https.html#https_https_request_options_callback](https://nodejs.org/api/https.html#https_https_request_options_callback)\n - [https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100](https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100)\n",
"text": "Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification",
"id": "problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification",
"name": "problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detects direct creations of $HTTPS servers that don\u0027t disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities."
},
"help": {
"markdown": "Detects direct creations of $HTTPS servers that don\u0027t disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1)\n - [https://us-cert.cisa.gov/ncas/alerts/TA14-290A](https://us-cert.cisa.gov/ncas/alerts/TA14-290A)\n - [https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs](https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs)\n - [https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener](https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener)\n",
"text": "Detects direct creations of $HTTPS servers that don\u0027t disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1",
"id": "problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1",
"name": "problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detects creations of $HTTPS servers from option objects that don\u0027t disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities."
},
"help": {
"markdown": "Detects creations of $HTTPS servers from option objects that don\u0027t disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2)\n - [https://us-cert.cisa.gov/ncas/alerts/TA14-290A](https://us-cert.cisa.gov/ncas/alerts/TA14-290A)\n - [https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs](https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs)\n - [https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener](https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener)\n",
"text": "Detects creations of $HTTPS servers from option objects that don\u0027t disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2",
"id": "problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2",
"name": "problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for lack of usage of the \"secure: true\" option when sending ftp requests through the nodejs ftp module. This leads to unencrypted traffic being sent to the ftp server. There are other options such as \"implicit\" that still does not encrypt all traffic. ftp is the most utilized npm ftp module."
},
"help": {
"markdown": "Checks for lack of usage of the \"secure: true\" option when sending ftp requests through the nodejs ftp module. This leads to unencrypted traffic being sent to the ftp server. There are other options such as \"implicit\" that still does not encrypt all traffic. ftp is the most utilized npm ftp module.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request)\n - [https://www.npmjs.com/package/ftp](https://www.npmjs.com/package/ftp)\n - [https://openbase.io/js/ftp](https://openbase.io/js/ftp)\n",
"text": "Checks for lack of usage of the \"secure: true\" option when sending ftp requests through the nodejs ftp module. This leads to unencrypted traffic being sent to the ftp server. There are other options such as \"implicit\" that still does not encrypt all traffic. ftp is the most utilized npm ftp module.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request",
"id": "problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request",
"name": "problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs."
},
"help": {
"markdown": "Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.http-request.http-request)\n - [https://nodejs.org/api/http.html#http_http_request_options_callback](https://nodejs.org/api/http.html#http_http_request_options_callback)\n",
"text": "Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.http-request.http-request",
"id": "problem-based-packs.insecure-transport.js-node.http-request.http-request",
"name": "problem-based-packs.insecure-transport.js-node.http-request.http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.http-request.http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests to http (unencrypted) sites using some of node js\u0027s most popular REST/HTTP libraries, including node-rest-client, axios, and got."
},
"help": {
"markdown": "Checks for requests to http (unencrypted) sites using some of node js\u0027s most popular REST/HTTP libraries, including node-rest-client, axios, and got.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support)\n - [https://www.npmjs.com/package/axios](https://www.npmjs.com/package/axios)\n - [https://www.npmjs.com/package/got](https://www.npmjs.com/package/got)\n - [https://www.npmjs.com/package/node-rest-client](https://www.npmjs.com/package/node-rest-client)\n",
"text": "Checks for requests to http (unencrypted) sites using some of node js\u0027s most popular REST/HTTP libraries, including node-rest-client, axios, and got.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support",
"id": "problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support",
"name": "problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."
},
"help": {
"markdown": "Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request)\n - [https://www.npmjs.com/package/telnet](https://www.npmjs.com/package/telnet)\n - [https://www.npmjs.com/package/telnet-client](https://www.npmjs.com/package/telnet-client)\n",
"text": "Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request",
"id": "problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request",
"name": "problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information."
},
"help": {
"markdown": "Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server)\n - [https://nodejs.org/api/http.html#http_class_http_agent](https://nodejs.org/api/http.html#http_class_http_agent)\n - [https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY](https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY)\n",
"text": "Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server",
"id": "problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server",
"name": "problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests to http (unencrypted) sites using some of ruby\u0027s most popular REST/HTTP libraries, including httparty and restclient."
},
"help": {
"markdown": "Checks for requests to http (unencrypted) sites using some of ruby\u0027s most popular REST/HTTP libraries, including httparty and restclient.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests)\n - [https://github.com/rest-client/rest-client](https://github.com/rest-client/rest-client)\n - [https://github.com/jnunemaker/httparty/tree/master/docs](https://github.com/jnunemaker/httparty/tree/master/docs)\n",
"text": "Checks for requests to http (unencrypted) sites using some of ruby\u0027s most popular REST/HTTP libraries, including httparty and restclient.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests",
"id": "problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests",
"name": "problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for outgoing connections to ftp servers with the \u0027net/ftp\u0027 package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol."
},
"help": {
"markdown": "Checks for outgoing connections to ftp servers with the \u0027net/ftp\u0027 package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request)\n - [https://docs.ruby-lang.org/en/2.0.0/Net/FTP.html](https://docs.ruby-lang.org/en/2.0.0/Net/FTP.html)\n",
"text": "Checks for outgoing connections to ftp servers with the \u0027net/ftp\u0027 package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request",
"id": "problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request",
"name": "problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs."
},
"help": {
"markdown": "Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request)\n - [https://ruby-doc.org/stdlib-2.6.5/libdoc/net/http/rdoc/Net/](https://ruby-doc.org/stdlib-2.6.5/libdoc/net/http/rdoc/Net/)\n",
"text": "Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request",
"id": "problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request",
"name": "problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."
},
"help": {
"markdown": "Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request)\n - [https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html](https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html)\n - [https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet](https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet)\n",
"text": "Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request",
"id": "problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request",
"name": "problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests to http and ftp (unencrypted) sites using OpenURI."
},
"help": {
"markdown": "Checks for requests to http and ftp (unencrypted) sites using OpenURI.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request)\n - [https://ruby-doc.org/stdlib-2.6.3/libdoc/open-uri/rdoc/OpenURI.html](https://ruby-doc.org/stdlib-2.6.3/libdoc/open-uri/rdoc/OpenURI.html)\n",
"text": "Checks for requests to http and ftp (unencrypted) sites using OpenURI.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request",
"id": "problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request",
"name": "problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found a formatted string in BashOperator: $CMD. This could be vulnerable to injection. Be extra sure your variables are not controllable by external sources."
},
"help": {
"markdown": "Found a formatted string in BashOperator: $CMD. This could be vulnerable to injection. Be extra sure your variables are not controllable by external sources.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Found a formatted string in BashOperator: $CMD. This could be vulnerable to injection. Be extra sure your variables are not controllable by external sources.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator",
"id": "python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator",
"name": "python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected \u0027create_subprocess_exec\u0027 function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027."
},
"help": {
"markdown": "Detected \u0027create_subprocess_exec\u0027 function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec)\n - [https://docs.python.org/3/library/asyncio-subprocess.html#asyncio.create_subprocess_exec](https://docs.python.org/3/library/asyncio-subprocess.html#asyncio.create_subprocess_exec)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n",
"text": "Detected \u0027create_subprocess_exec\u0027 function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec",
"id": "python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec",
"name": "python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected subprocess function \u0027$LOOP.subprocess_exec\u0027 with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027."
},
"help": {
"markdown": "Detected subprocess function \u0027$LOOP.subprocess_exec\u0027 with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec)\n - [https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec](https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n",
"text": "Detected subprocess function \u0027$LOOP.subprocess_exec\u0027 with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec",
"id": "python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec",
"name": "python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected asyncio subprocess function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027."
},
"help": {
"markdown": "Detected asyncio subprocess function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell)\n - [https://docs.python.org/3/library/asyncio-subprocess.html](https://docs.python.org/3/library/asyncio-subprocess.html)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n",
"text": "Detected asyncio subprocess function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell",
"id": "python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell",
"name": "python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here."
},
"help": {
"markdown": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process",
"id": "python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process",
"name": "python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected subprocess function with argument tainted by an `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. The default option for `shell` is False, and this is secure by default. Consider removing the `shell=True` or setting it to False explicitely. Using `shell=False` means you have to split the command string into an array of strings for the command and its arguments. You may consider using \u0027shlex.split()\u0027 for this purpose."
},
"help": {
"markdown": "Detected subprocess function with argument tainted by an `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. The default option for `shell` is False, and this is secure by default. Consider removing the `shell=True` or setting it to False explicitely. Using `shell=False` means you have to split the command string into an array of strings for the command and its arguments. You may consider using \u0027shlex.split()\u0027 for this purpose.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use)\n - [https://docs.python.org/3/library/subprocess.html](https://docs.python.org/3/library/subprocess.html)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n",
"text": "Detected subprocess function with argument tainted by an `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. The default option for `shell` is False, and this is secure by default. Consider removing the `shell=True` or setting it to False explicitely. Using `shell=False` means you have to split the command string into an array of strings for the command and its arguments. You may consider using \u0027shlex.split()\u0027 for this purpose.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use",
"id": "python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use",
"name": "python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the \u0027subprocess\u0027 module instead, which is easier to use without accidentally exposing a command injection vulnerability."
},
"help": {
"markdown": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the \u0027subprocess\u0027 module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-system-call.dangerous-system-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the \u0027subprocess\u0027 module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-system-call.dangerous-system-call",
"id": "python.aws-lambda.security.dangerous-system-call.dangerous-system-call",
"name": "python.aws-lambda.security.dangerous-system-call.dangerous-system-call",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.dangerous-system-call.dangerous-system-call"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected DynamoDB query filter that is tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client."
},
"help": {
"markdown": "Detected DynamoDB query filter that is tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection)\n - [https://medium.com/appsecengineer/dynamodb-injection-1db99c2454ac](https://medium.com/appsecengineer/dynamodb-injection-1db99c2454ac)\n",
"text": "Detected DynamoDB query filter that is tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection",
"id": "python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection",
"name": "python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, (\u0027active\u0027))`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, (\u0027active\u0027))`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.mysql-sqli.mysql-sqli)\n - [https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-execute.html](https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-execute.html)\n - [https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-executemany.html](https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-executemany.html)\n",
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, (\u0027active\u0027))`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.mysql-sqli.mysql-sqli",
"id": "python.aws-lambda.security.mysql-sqli.mysql-sqli",
"name": "python.aws-lambda.security.mysql-sqli.mysql-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.mysql-sqli.mysql-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, \u0027active\u0027)`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, \u0027active\u0027)`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.psycopg-sqli.psycopg-sqli)\n - [https://www.psycopg.org/docs/cursor.html#cursor.execute](https://www.psycopg.org/docs/cursor.html#cursor.execute)\n - [https://www.psycopg.org/docs/cursor.html#cursor.executemany](https://www.psycopg.org/docs/cursor.html#cursor.executemany)\n - [https://www.psycopg.org/docs/cursor.html#cursor.mogrify](https://www.psycopg.org/docs/cursor.html#cursor.mogrify)\n",
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, \u0027active\u0027)`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.psycopg-sqli.psycopg-sqli",
"id": "python.aws-lambda.security.psycopg-sqli.psycopg-sqli",
"name": "python.aws-lambda.security.psycopg-sqli.psycopg-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.psycopg-sqli.psycopg-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, \u0027active\u0027)`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, \u0027active\u0027)`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli)\n - [https://pypi.org/project/pymssql/](https://pypi.org/project/pymssql/)\n",
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, \u0027active\u0027)`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli",
"id": "python.aws-lambda.security.pymssql-sqli.pymssql-sqli",
"name": "python.aws-lambda.security.pymssql-sqli.pymssql-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.pymssql-sqli.pymssql-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, (\u0027active\u0027))`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, (\u0027active\u0027))`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.pymysql-sqli.pymysql-sqli)\n - [https://pypi.org/project/PyMySQL/#id4](https://pypi.org/project/PyMySQL/#id4)\n",
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, (\u0027active\u0027))`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.pymysql-sqli.pymysql-sqli",
"id": "python.aws-lambda.security.pymysql-sqli.pymysql-sqli",
"name": "python.aws-lambda.security.pymysql-sqli.pymysql-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.pymysql-sqli.pymysql-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = ?\u0027, \u0027active\u0027)`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = ?\u0027, \u0027active\u0027)`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli)\n - [https://docs.sqlalchemy.org/en/14/core/connections.html#sqlalchemy.engine.Connection.execute](https://docs.sqlalchemy.org/en/14/core/connections.html#sqlalchemy.engine.Connection.execute)\n",
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = ?\u0027, \u0027active\u0027)`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli",
"id": "python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli",
"name": "python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the use of `exec/eval`.This can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."
},
"help": {
"markdown": "Detected the use of `exec/eval`.This can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-code-exec.tainted-code-exec)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected the use of `exec/eval`.This can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.tainted-code-exec.tainted-code-exec",
"id": "python.aws-lambda.security.tainted-code-exec.tainted-code-exec",
"name": "python.aws-lambda.security.tainted-code-exec.tainted-code-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.tainted-code-exec.tainted-code-exec"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data."
},
"help": {
"markdown": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response",
"id": "python.aws-lambda.security.tainted-html-response.tainted-html-response",
"name": "python.aws-lambda.security.tainted-html-response.tainted-html-response",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.tainted-html-response.tainted-html-response"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead."
},
"help": {
"markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-html-string.tainted-html-string)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.tainted-html-string.tainted-html-string",
"id": "python.aws-lambda.security.tainted-html-string.tainted-html-string",
"name": "python.aws-lambda.security.tainted-html-string.tainted-html-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.tainted-html-string.tainted-html-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."
},
"help": {
"markdown": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n",
"text": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization",
"id": "python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization",
"name": "python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."
},
"help": {
"markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n",
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"id": "python.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"name": "python.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.boto3.security.hardcoded-token.hardcoded-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n - [https://bento.dev/checks/boto3/hardcoded-access-token/](https://bento.dev/checks/boto3/hardcoded-access-token/)\n - [https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/](https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.boto3.security.hardcoded-token.hardcoded-token",
"id": "python.boto3.security.hardcoded-token.hardcoded-token",
"name": "python.boto3.security.hardcoded-token.hardcoded-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.boto3.security.hardcoded-token.hardcoded-token"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Potential empty AES encryption key. Using an empty key in AES encryption can result in weak encryption and may allow attackers to easily decrypt sensitive data. Ensure that a strong, non-empty key is used for AES encryption."
},
"help": {
"markdown": "Potential empty AES encryption key. Using an empty key in AES encryption can result in weak encryption and may allow attackers to easily decrypt sensitive data. Ensure that a strong, non-empty key is used for AES encryption.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.empty-aes-key.empty-aes-key)\n - [https://cwe.mitre.org/data/definitions/327.html](https://cwe.mitre.org/data/definitions/327.html)\n - [https://cwe.mitre.org/data/definitions/310.html](https://cwe.mitre.org/data/definitions/310.html)\n",
"text": "Potential empty AES encryption key. Using an empty key in AES encryption can result in weak encryption and may allow attackers to easily decrypt sensitive data. Ensure that a strong, non-empty key is used for AES encryption.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.empty-aes-key.empty-aes-key",
"id": "python.cryptography.security.empty-aes-key.empty-aes-key",
"name": "python.cryptography.security.empty-aes-key.empty-aes-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-310: Cryptographic Issues",
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A6:2017 misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.empty-aes-key.empty-aes-key"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. Its use is strongly discouraged. ARC4 does not use mode constructions. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use the `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."
},
"help": {
"markdown": "ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. Its use is strongly discouraged. ARC4 does not use mode constructions. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use the `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers)\n",
"text": "ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. Its use is strongly discouraged. ARC4 does not use mode constructions. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use the `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4",
"id": "python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4",
"name": "python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as AES. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."
},
"help": {
"markdown": "Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as AES. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers)\n - [https://tools.ietf.org/html/rfc5469](https://tools.ietf.org/html/rfc5469)\n",
"text": "Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as AES. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish",
"id": "python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish",
"name": "python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."
},
"help": {
"markdown": "IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea)\n - [https://tools.ietf.org/html/rfc5469](https://tools.ietf.org/html/rfc5469)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA)\n",
"text": "IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea",
"id": "python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea",
"name": "python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "ECB (Electronic Code Book) is the simplest mode of operation for block ciphers. Each block of data is encrypted in the same way. This means identical plaintext blocks will always result in identical ciphertext blocks, which can leave significant patterns in the output. Use a different, cryptographically strong mode instead, such as GCM."
},
"help": {
"markdown": "ECB (Electronic Code Book) is the simplest mode of operation for block ciphers. Each block of data is encrypted in the same way. This means identical plaintext blocks will always result in identical ciphertext blocks, which can leave significant patterns in the output. Use a different, cryptographically strong mode instead, such as GCM.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#insecure-modes](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#insecure-modes)\n - [https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption](https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption)\n",
"text": "ECB (Electronic Code Book) is the simplest mode of operation for block ciphers. Each block of data is encrypted in the same way. This means identical plaintext blocks will always result in identical ciphertext blocks, which can leave significant patterns in the output. Use a different, cryptographically strong mode instead, such as GCM.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb",
"id": "python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb",
"name": "python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
},
"help": {
"markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5)\n - [https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#md5](https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#md5)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5",
"id": "python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5",
"name": "python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
},
"help": {
"markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1)\n - [https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sha-1](https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sha-1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1",
"id": "python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1",
"name": "python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher."
},
"help": {
"markdown": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size)\n - [https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf](https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n",
"text": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size",
"id": "python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size",
"name": "python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an insufficient curve size for EC. NIST recommends a key size of 224 or higher. For example, use \u0027ec.SECP256R1\u0027."
},
"help": {
"markdown": "Detected an insufficient curve size for EC. NIST recommends a key size of 224 or higher. For example, use \u0027ec.SECP256R1\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#elliptic-curves](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#elliptic-curves)\n",
"text": "Detected an insufficient curve size for EC. NIST recommends a key size of 224 or higher. For example, use \u0027ec.SECP256R1\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size",
"id": "python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size",
"name": "python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher."
},
"help": {
"markdown": "Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n",
"text": "Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
"id": "python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
"name": "python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security."
},
"help": {
"markdown": "Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.distributed.security.require-encryption)\n - [https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters](https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters)\n",
"text": "Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.distributed.security.require-encryption",
"id": "python.distributed.security.require-encryption",
"name": "python.distributed.security.require-encryption",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.distributed.security.require-encryption"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities."
},
"help": {
"markdown": "Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n",
"text": "Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization",
"id": "python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization",
"name": "python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027mark_safe()\u0027 is used to mark a string as \"safe\" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use \u0027django.utils.html.format_html()\u0027 to build HTML for rendering instead."
},
"help": {
"markdown": "\u0027mark_safe()\u0027 is used to mark a string as \"safe\" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use \u0027django.utils.html.format_html()\u0027 to build HTML for rendering instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.avoid-mark-safe.avoid-mark-safe)\n - [https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.safestring.mark_safe](https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.safestring.mark_safe)\n - [https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.html.format_html](https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.html.format_html)\n",
"text": "\u0027mark_safe()\u0027 is used to mark a string as \"safe\" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use \u0027django.utils.html.format_html()\u0027 to build HTML for rendering instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.avoid-mark-safe.avoid-mark-safe",
"id": "python.django.security.audit.avoid-mark-safe.avoid-mark-safe",
"name": "python.django.security.audit.avoid-mark-safe.avoid-mark-safe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.avoid-mark-safe.avoid-mark-safe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected usage of @csrf_exempt, which indicates that there is no CSRF token set for this route. This could lead to an attacker manipulating the user\u0027s account and exfiltration of private data. Instead, create a function without this decorator."
},
"help": {
"markdown": "Detected usage of @csrf_exempt, which indicates that there is no CSRF token set for this route. This could lead to an attacker manipulating the user\u0027s account and exfiltration of private data. Instead, create a function without this decorator.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.csrf-exempt.no-csrf-exempt)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Detected usage of @csrf_exempt, which indicates that there is no CSRF token set for this route. This could lead to an attacker manipulating the user\u0027s account and exfiltration of private data. Instead, create a function without this decorator.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.csrf-exempt.no-csrf-exempt",
"id": "python.django.security.audit.csrf-exempt.no-csrf-exempt",
"name": "python.django.security.audit.csrf-exempt.no-csrf-exempt",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.csrf-exempt.no-csrf-exempt"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a Custom Expression \u0027\u0027$EXPRESSION\u0027\u0027 calling \u0027\u0027as_sql(...).\u0027\u0027 This could lead to SQL injection, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized."
},
"help": {
"markdown": "Detected a Custom Expression \u0027\u0027$EXPRESSION\u0027\u0027 calling \u0027\u0027as_sql(...).\u0027\u0027 This could lead to SQL injection, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.Func.as_sql](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.Func.as_sql)\n - [https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/](https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/)\n",
"text": "Detected a Custom Expression \u0027\u0027$EXPRESSION\u0027\u0027 calling \u0027\u0027as_sql(...).\u0027\u0027 This could lead to SQL injection, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql",
"id": "python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql",
"name": "python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Django REST framework configuration is missing default rate- limiting options. This could inadvertently allow resource starvation or Denial of Service (DoS) attacks. Add \u0027DEFAULT_THROTTLE_CLASSES\u0027 and \u0027DEFAULT_THROTTLE_RATES\u0027 to add rate-limiting to your application."
},
"help": {
"markdown": "Django REST framework configuration is missing default rate- limiting options. This could inadvertently allow resource starvation or Denial of Service (DoS) attacks. Add \u0027DEFAULT_THROTTLE_CLASSES\u0027 and \u0027DEFAULT_THROTTLE_RATES\u0027 to add rate-limiting to your application.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config)\n - [https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy](https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy)\n",
"text": "Django REST framework configuration is missing default rate- limiting options. This could inadvertently allow resource starvation or Denial of Service (DoS) attacks. Add \u0027DEFAULT_THROTTLE_CLASSES\u0027 and \u0027DEFAULT_THROTTLE_RATES\u0027 to add rate-limiting to your application.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config",
"id": "python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config",
"name": "python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config",
"properties": {
"precision": "very-high",
"tags": [
"CWE-770: Allocation of Resources Without Limits or Throttling",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found extension of custom expression: $CLASS. Extending expressions in this way could inadvertently lead to a SQL injection vulnerability, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized."
},
"help": {
"markdown": "Found extension of custom expression: $CLASS. Extending expressions in this way could inadvertently lead to a SQL injection vulnerability, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.extends-custom-expression.extends-custom-expression)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#avoiding-sql-injection](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#avoiding-sql-injection)\n - [https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/](https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/)\n",
"text": "Found extension of custom expression: $CLASS. Extending expressions in this way could inadvertently lead to a SQL injection vulnerability, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.extends-custom-expression.extends-custom-expression",
"id": "python.django.security.audit.extends-custom-expression.extends-custom-expression",
"name": "python.django.security.audit.extends-custom-expression.extends-custom-expression",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.extends-custom-expression.extends-custom-expression"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "QuerySet.extra\u0027 does not provide safeguards against SQL injection and requires very careful use. SQL injection can lead to critical data being stolen by attackers. Instead of using \u0027.extra\u0027, use the Django ORM and parameterized queries such as `People.objects.get(name=\u0027Bob\u0027)`."
},
"help": {
"markdown": "QuerySet.extra\u0027 does not provide safeguards against SQL injection and requires very careful use. SQL injection can lead to critical data being stolen by attackers. Instead of using \u0027.extra\u0027, use the Django ORM and parameterized queries such as `People.objects.get(name=\u0027Bob\u0027)`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.query-set-extra.avoid-query-set-extra)\n - [https://docs.djangoproject.com/en/3.0/ref/models/querysets/#django.db.models.query.QuerySet.extra](https://docs.djangoproject.com/en/3.0/ref/models/querysets/#django.db.models.query.QuerySet.extra)\n - [https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/](https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/)\n",
"text": "QuerySet.extra\u0027 does not provide safeguards against SQL injection and requires very careful use. SQL injection can lead to critical data being stolen by attackers. Instead of using \u0027.extra\u0027, use the Django ORM and parameterized queries such as `People.objects.get(name=\u0027Bob\u0027)`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.query-set-extra.avoid-query-set-extra",
"id": "python.django.security.audit.query-set-extra.avoid-query-set-extra",
"name": "python.django.security.audit.query-set-extra.avoid-query-set-extra",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.query-set-extra.avoid-query-set-extra"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the use of \u0027RawSQL\u0027 or \u0027raw\u0027 indicating the execution of a non-parameterized SQL query. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use Django ORM and parameterized queries before raw SQL. An example of using the Django ORM is: `People.objects.get(name=\u0027Bob\u0027)`"
},
"help": {
"markdown": "Detected the use of \u0027RawSQL\u0027 or \u0027raw\u0027 indicating the execution of a non-parameterized SQL query. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use Django ORM and parameterized queries before raw SQL. An example of using the Django ORM is: `People.objects.get(name=\u0027Bob\u0027)`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.raw-query.avoid-raw-sql)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#raw-sql-expressions](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#raw-sql-expressions)\n - [https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/](https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/)\n",
"text": "Detected the use of \u0027RawSQL\u0027 or \u0027raw\u0027 indicating the execution of a non-parameterized SQL query. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use Django ORM and parameterized queries before raw SQL. An example of using the Django ORM is: `People.objects.get(name=\u0027Bob\u0027)`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.raw-query.avoid-raw-sql",
"id": "python.django.security.audit.raw-query.avoid-raw-sql",
"name": "python.django.security.audit.raw-query.avoid-raw-sql",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.raw-query.avoid-raw-sql"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Django cookies should be handled securely by setting secure=True, httponly=True, and samesite=\u0027Lax\u0027 in response.set_cookie(...). If your situation calls for different settings, explicitly disable the setting. If you want to send the cookie over http, set secure=False. If you want to let client-side JavaScript read the cookie, set httponly=False. If you want to attach cookies to requests for external sites, set samesite=None."
},
"help": {
"markdown": "Django cookies should be handled securely by setting secure=True, httponly=True, and samesite=\u0027Lax\u0027 in response.set_cookie(...). If your situation calls for different settings, explicitly disable the setting. If you want to send the cookie over http, set secure=False. If you want to let client-side JavaScript read the cookie, set httponly=False. If you want to attach cookies to requests for external sites, set samesite=None.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.secure-cookies.django-secure-set-cookie)\n - [https://docs.djangoproject.com/en/3.0/ref/request-response/#django.http.HttpResponse.set_cookie](https://docs.djangoproject.com/en/3.0/ref/request-response/#django.http.HttpResponse.set_cookie)\n - [https://semgrep.dev/blog/2020/bento-check-keeping-cookies-safe-in-flask/](https://semgrep.dev/blog/2020/bento-check-keeping-cookies-safe-in-flask/)\n - [https://bento.dev/checks/flask/secure-set-cookie/](https://bento.dev/checks/flask/secure-set-cookie/)\n",
"text": "Django cookies should be handled securely by setting secure=True, httponly=True, and samesite=\u0027Lax\u0027 in response.set_cookie(...). If your situation calls for different settings, explicitly disable the setting. If you want to send the cookie over http, set secure=False. If you want to let client-side JavaScript read the cookie, set httponly=False. If you want to attach cookies to requests for external sites, set samesite=None.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.secure-cookies.django-secure-set-cookie",
"id": "python.django.security.audit.secure-cookies.django-secure-set-cookie",
"name": "python.django.security.audit.secure-cookies.django-secure-set-cookie",
"properties": {
"precision": "very-high",
"tags": [
"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.secure-cookies.django-secure-set-cookie"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a debug template tag in a Django template. This dumps debugging information to the page when debug mode is enabled. Showing debug information to users is dangerous because it may reveal information about your environment that malicious actors can use to gain access to the system. Remove the debug tag."
},
"help": {
"markdown": "Detected a debug template tag in a Django template. This dumps debugging information to the page when debug mode is enabled. Showing debug information to users is dangerous because it may reveal information about your environment that malicious actors can use to gain access to the system. Remove the debug tag.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.templates.debug-template-tag.debug-template-tag)\n - [https://docs.djangoproject.com/en/4.2/ref/templates/builtins/#debug](https://docs.djangoproject.com/en/4.2/ref/templates/builtins/#debug)\n - [https://stackoverflow.com/questions/2213977/django-debug-display-all-variables-of-a-page](https://stackoverflow.com/questions/2213977/django-debug-display-all-variables-of-a-page)\n",
"text": "Detected a debug template tag in a Django template. This dumps debugging information to the page when debug mode is enabled. Showing debug information to users is dangerous because it may reveal information about your environment that malicious actors can use to gain access to the system. Remove the debug tag.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.templates.debug-template-tag.debug-template-tag",
"id": "python.django.security.audit.templates.debug-template-tag.debug-template-tag",
"name": "python.django.security.audit.templates.debug-template-tag.debug-template-tag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-489: Active Debug Code",
"LOW CONFIDENCE",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.templates.debug-template-tag.debug-template-tag"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The password on \u0027$MODEL\u0027 is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information."
},
"help": {
"markdown": "The password on \u0027$MODEL\u0027 is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password)\n - [https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation](https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation)\n",
"text": "The password on \u0027$MODEL\u0027 is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password",
"id": "python.django.security.audit.unvalidated-password.unvalidated-password",
"name": "python.django.security.audit.unvalidated-password.unvalidated-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-521: Weak Password Requirements",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.unvalidated-password.unvalidated-password"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found a class extending \u0027SafeString\u0027, \u0027SafeText\u0027 or \u0027SafeData\u0027. These classes are for bypassing the escaping engine built in to Django and should not be used directly. Improper use of this class exposes your application to cross-site scripting (XSS) vulnerabilities. If you need this functionality, use \u0027mark_safe\u0027 instead and ensure no user data can reach it."
},
"help": {
"markdown": "Found a class extending \u0027SafeString\u0027, \u0027SafeText\u0027 or \u0027SafeData\u0027. These classes are for bypassing the escaping engine built in to Django and should not be used directly. Improper use of this class exposes your application to cross-site scripting (XSS) vulnerabilities. If you need this functionality, use \u0027mark_safe\u0027 instead and ensure no user data can reach it.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.class-extends-safestring.class-extends-safestring)\n - [https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping](https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping)\n - [https://github.com/django/django/blob/f138e75910b1e541686c4dce3d8f467f6fc234cb/django/utils/safestring.py#L11](https://github.com/django/django/blob/f138e75910b1e541686c4dce3d8f467f6fc234cb/django/utils/safestring.py#L11)\n",
"text": "Found a class extending \u0027SafeString\u0027, \u0027SafeText\u0027 or \u0027SafeData\u0027. These classes are for bypassing the escaping engine built in to Django and should not be used directly. Improper use of this class exposes your application to cross-site scripting (XSS) vulnerabilities. If you need this functionality, use \u0027mark_safe\u0027 instead and ensure no user data can reach it.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.class-extends-safestring.class-extends-safestring",
"id": "python.django.security.audit.xss.class-extends-safestring.class-extends-safestring",
"name": "python.django.security.audit.xss.class-extends-safestring.class-extends-safestring",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.class-extends-safestring.class-extends-safestring"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove \u0027autoescape: False\u0027 or set it to \u0027True\u0027."
},
"help": {
"markdown": "Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove \u0027autoescape: False\u0027 or set it to \u0027True\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off)\n - [https://docs.djangoproject.com/en/3.1/ref/settings/#templates](https://docs.djangoproject.com/en/3.1/ref/settings/#templates)\n - [https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates)\n",
"text": "Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove \u0027autoescape: False\u0027 or set it to \u0027True\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off",
"id": "python.django.security.audit.xss.context-autoescape-off.context-autoescape-off",
"name": "python.django.security.audit.xss.context-autoescape-off.context-autoescape-off",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.context-autoescape-off.context-autoescape-off"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected data rendered directly to the end user via \u0027HttpResponse\u0027 or a similar object. This bypasses Django\u0027s built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Django\u0027s template engine to safely render HTML."
},
"help": {
"markdown": "Detected data rendered directly to the end user via \u0027HttpResponse\u0027 or a similar object. This bypasses Django\u0027s built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Django\u0027s template engine to safely render HTML.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse)\n - [https://docs.djangoproject.com/en/3.1/intro/tutorial03/#a-shortcut-render](https://docs.djangoproject.com/en/3.1/intro/tutorial03/#a-shortcut-render)\n - [https://docs.djangoproject.com/en/3.1/topics/http/shortcuts/#render](https://docs.djangoproject.com/en/3.1/topics/http/shortcuts/#render)\n",
"text": "Detected data rendered directly to the end user via \u0027HttpResponse\u0027 or a similar object. This bypasses Django\u0027s built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Django\u0027s template engine to safely render HTML.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse",
"id": "python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse",
"name": "python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected Django filters flagged with \u0027is_safe\u0027. \u0027is_safe\u0027 tells Django not to apply escaping on the value returned by this filter (although the input is escaped). Used improperly, \u0027is_safe\u0027 could expose your application to cross-site scripting (XSS) vulnerabilities. Ensure this filter does not 1) add HTML characters, 2) remove characters, or 3) use external data in any way. Consider instead removing \u0027is_safe\u0027 and explicitly marking safe content with \u0027mark_safe()\u0027."
},
"help": {
"markdown": "Detected Django filters flagged with \u0027is_safe\u0027. \u0027is_safe\u0027 tells Django not to apply escaping on the value returned by this filter (although the input is escaped). Used improperly, \u0027is_safe\u0027 could expose your application to cross-site scripting (XSS) vulnerabilities. Ensure this filter does not 1) add HTML characters, 2) remove characters, or 3) use external data in any way. Consider instead removing \u0027is_safe\u0027 and explicitly marking safe content with \u0027mark_safe()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe)\n - [https://docs.djangoproject.com/en/3.1/topics/security/#cross-site-scripting-xss-protection](https://docs.djangoproject.com/en/3.1/topics/security/#cross-site-scripting-xss-protection)\n - [https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping](https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping)\n - [https://stackoverflow.com/questions/7665512/why-use-is-safe](https://stackoverflow.com/questions/7665512/why-use-is-safe)\n",
"text": "Detected Django filters flagged with \u0027is_safe\u0027. \u0027is_safe\u0027 tells Django not to apply escaping on the value returned by this filter (although the input is escaped). Used improperly, \u0027is_safe\u0027 could expose your application to cross-site scripting (XSS) vulnerabilities. Ensure this filter does not 1) add HTML characters, 2) remove characters, or 3) use external data in any way. Consider instead removing \u0027is_safe\u0027 and explicitly marking safe content with \u0027mark_safe()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe",
"id": "python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe",
"name": "python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Passing a formatted string as first parameter to `format_html` disables the proper encoding of variables. Any HTML in the first parameter is not encoded. Using a formatted string as first parameter obscures which parameters are encoded. Correct use of `format_html` is passing a static format string as first parameter, and the variables to substitute as subsequent parameters."
},
"help": {
"markdown": "Passing a formatted string as first parameter to `format_html` disables the proper encoding of variables. Any HTML in the first parameter is not encoded. Using a formatted string as first parameter obscures which parameters are encoded. Correct use of `format_html` is passing a static format string as first parameter, and the variables to substitute as subsequent parameters.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter)\n - [https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html](https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html)\n",
"text": "Passing a formatted string as first parameter to `format_html` disables the proper encoding of variables. Any HTML in the first parameter is not encoded. Using a formatted string as first parameter obscures which parameters are encoded. Correct use of `format_html` is passing a static format string as first parameter, and the variables to substitute as subsequent parameters.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter",
"id": "python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter",
"name": "python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Autoescape is globally disbaled for this Django application. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove \u0027autoescape: False\u0027 or set it to \u0027True\u0027."
},
"help": {
"markdown": "Autoescape is globally disbaled for this Django application. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove \u0027autoescape: False\u0027 or set it to \u0027True\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.global-autoescape-off.global-autoescape-off)\n - [https://docs.djangoproject.com/en/3.1/ref/settings/#templates](https://docs.djangoproject.com/en/3.1/ref/settings/#templates)\n - [https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates)\n",
"text": "Autoescape is globally disbaled for this Django application. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove \u0027autoescape: False\u0027 or set it to \u0027True\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.global-autoescape-off.global-autoescape-off",
"id": "python.django.security.audit.xss.global-autoescape-off.global-autoescape-off",
"name": "python.django.security.audit.xss.global-autoescape-off.global-autoescape-off",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.global-autoescape-off.global-autoescape-off"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The `__html__` method indicates to the Django template engine that the value is \u0027safe\u0027 for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method."
},
"help": {
"markdown": "The `__html__` method indicates to the Django template engine that the value is \u0027safe\u0027 for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.html-magic-method.html-magic-method)\n - [https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#conditional_escape](https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#conditional_escape)\n - [https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5](https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5)\n",
"text": "The `__html__` method indicates to the Django template engine that the value is \u0027safe\u0027 for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.html-magic-method.html-magic-method",
"id": "python.django.security.audit.xss.html-magic-method.html-magic-method",
"name": "python.django.security.audit.xss.html-magic-method.html-magic-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.html-magic-method.html-magic-method"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "`html_safe()` add the `__html__` magic method to the provided class. The `__html__` method indicates to the Django template engine that the value is \u0027safe\u0027 for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method."
},
"help": {
"markdown": "`html_safe()` add the `__html__` magic method to the provided class. The `__html__` method indicates to the Django template engine that the value is \u0027safe\u0027 for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.html-safe.html-safe)\n - [https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#html_safe](https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#html_safe)\n - [https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5](https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5)\n",
"text": "`html_safe()` add the `__html__` magic method to the provided class. The `__html__` method indicates to the Django template engine that the value is \u0027safe\u0027 for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.html-safe.html-safe",
"id": "python.django.security.audit.xss.html-safe.html-safe",
"name": "python.django.security.audit.xss.html-safe.html-safe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.html-safe.html-safe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a template block where autoescaping is explicitly disabled with \u0027{% autoescape off %}\u0027. This allows rendering of raw HTML in this segment. Turn autoescaping on to prevent cross-site scripting (XSS). If you must do this, consider instead, using `mark_safe` in Python code."
},
"help": {
"markdown": "Detected a template block where autoescaping is explicitly disabled with \u0027{% autoescape off %}\u0027. This allows rendering of raw HTML in this segment. Turn autoescaping on to prevent cross-site scripting (XSS). If you must do this, consider instead, using `mark_safe` in Python code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-autoescape-off.template-autoescape-off)\n - [https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#autoescape](https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#autoescape)\n",
"text": "Detected a template block where autoescaping is explicitly disabled with \u0027{% autoescape off %}\u0027. This allows rendering of raw HTML in this segment. Turn autoescaping on to prevent cross-site scripting (XSS). If you must do this, consider instead, using `mark_safe` in Python code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-autoescape-off.template-autoescape-off",
"id": "python.django.security.audit.xss.template-autoescape-off.template-autoescape-off",
"name": "python.django.security.audit.xss.template-autoescape-off.template-autoescape-off",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.template-autoescape-off.template-autoescape-off"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text."
},
"help": {
"markdown": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape)\n - [https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates](https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates)\n - [https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code](https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code)\n",
"text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape",
"id": "python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape",
"name": "python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text."
},
"help": {
"markdown": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape)\n - [https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates](https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates)\n - [https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code](https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code)\n",
"text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape",
"id": "python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape",
"name": "python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a template variable where autoescaping is explicitly disabled with \u0027| safeseq\u0027 filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability. If you must do this, use `mark_safe` in your Python code."
},
"help": {
"markdown": "Detected a template variable where autoescaping is explicitly disabled with \u0027| safeseq\u0027 filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability. If you must do this, use `mark_safe` in your Python code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq)\n - [https://docs.djangoproject.com/en/3.0/ref/templates/builtins/#safeseq](https://docs.djangoproject.com/en/3.0/ref/templates/builtins/#safeseq)\n",
"text": "Detected a template variable where autoescaping is explicitly disabled with \u0027| safeseq\u0027 filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability. If you must do this, use `mark_safe` in your Python code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq",
"id": "python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq",
"name": "python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks."
},
"help": {
"markdown": "Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token)\n - [https://docs.djangoproject.com/en/4.2/howto/csrf/](https://docs.djangoproject.com/en/4.2/howto/csrf/)\n",
"text": "Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token",
"id": "python.django.security.django-no-csrf-token.django-no-csrf-token",
"name": "python.django.security.django-no-csrf-token.django-no-csrf-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.django-no-csrf-token.django-no-csrf-token"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data"
},
"help": {
"markdown": "Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid)\n - [https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data](https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data)\n",
"text": "Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid",
"id": "python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid",
"name": "python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid",
"properties": {
"precision": "very-high",
"tags": [
"CWE-20: Improper Input Validation",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Using \u0027globals()\u0027 as a context to \u0027render(...)\u0027 is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use \u0027globals()\u0027. Instead, specify each variable in a dictionary or \u0027django.template.Context\u0027 object, like \u0027{\"var1\": \"hello\"}\u0027 and use that instead."
},
"help": {
"markdown": "Using \u0027globals()\u0027 as a context to \u0027render(...)\u0027 is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use \u0027globals()\u0027. Instead, specify each variable in a dictionary or \u0027django.template.Context\u0027 object, like \u0027{\"var1\": \"hello\"}\u0027 and use that instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.globals-as-template-context.globals-as-template-context)\n - [https://docs.djangoproject.com/en/3.2/ref/settings/#templates](https://docs.djangoproject.com/en/3.2/ref/settings/#templates)\n - [https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates)\n - [https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context](https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context)\n",
"text": "Using \u0027globals()\u0027 as a context to \u0027render(...)\u0027 is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use \u0027globals()\u0027. Instead, specify each variable in a dictionary or \u0027django.template.Context\u0027 object, like \u0027{\"var1\": \"hello\"}\u0027 and use that instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.globals-as-template-context.globals-as-template-context",
"id": "python.django.security.globals-as-template-context.globals-as-template-context",
"name": "python.django.security.globals-as-template-context.globals-as-template-context",
"properties": {
"precision": "very-high",
"tags": [
"CWE-96: Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.globals-as-template-context.globals-as-template-context"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The Django secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Django secret key can be obtained by attackers, through the HashIDs."
},
"help": {
"markdown": "The Django secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Django secret key can be obtained by attackers, through the HashIDs.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.hashids-with-django-secret.hashids-with-django-secret)\n - [https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECRET_KEY](https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECRET_KEY)\n - [http://carnage.github.io/2015/08/cryptanalysis-of-hashids](http://carnage.github.io/2015/08/cryptanalysis-of-hashids)\n",
"text": "The Django secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Django secret key can be obtained by attackers, through the HashIDs.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.hashids-with-django-secret.hashids-with-django-secret",
"id": "python.django.security.hashids-with-django-secret.hashids-with-django-secret",
"name": "python.django.security.hashids-with-django-secret.hashids-with-django-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 \u2013 Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.hashids-with-django-secret.hashids-with-django-secret"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found request data as an index to \u0027globals()\u0027. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use \u0027globals()\u0027."
},
"help": {
"markdown": "Found request data as an index to \u0027globals()\u0027. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use \u0027globals()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution)\n - [https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186](https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186)\n",
"text": "Found request data as an index to \u0027globals()\u0027. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use \u0027globals()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution",
"id": "python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution",
"name": "python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution",
"properties": {
"precision": "very-high",
"tags": [
"CWE-96: Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user data in a call to \u0027eval\u0027. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information."
},
"help": {
"markdown": "Found user data in a call to \u0027eval\u0027. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string)\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\n",
"text": "Found user data in a call to \u0027eval\u0027. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string",
"id": "python.django.security.injection.code.user-eval-format-string.user-eval-format-string",
"name": "python.django.security.injection.code.user-eval-format-string.user-eval-format-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.code.user-eval-format-string.user-eval-format-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user data in a call to \u0027eval\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need."
},
"help": {
"markdown": "Found user data in a call to \u0027eval\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-eval.user-eval)\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\n",
"text": "Found user data in a call to \u0027eval\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.code.user-eval.user-eval",
"id": "python.django.security.injection.code.user-eval.user-eval",
"name": "python.django.security.injection.code.user-eval.user-eval",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.code.user-eval.user-eval"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user data in a call to \u0027exec\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need."
},
"help": {
"markdown": "Found user data in a call to \u0027exec\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-exec-format-string.user-exec-format-string)\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\n",
"text": "Found user data in a call to \u0027exec\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.code.user-exec-format-string.user-exec-format-string",
"id": "python.django.security.injection.code.user-exec-format-string.user-exec-format-string",
"name": "python.django.security.injection.code.user-exec-format-string.user-exec-format-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.code.user-exec-format-string.user-exec-format-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user data in a call to \u0027exec\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need."
},
"help": {
"markdown": "Found user data in a call to \u0027exec\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-exec.user-exec)\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\n",
"text": "Found user data in a call to \u0027exec\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.code.user-exec.user-exec",
"id": "python.django.security.injection.code.user-exec.user-exec",
"name": "python.django.security.injection.code.user-exec.user-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.code.user-exec.user-exec"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the \u0027subprocess\u0027 module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information."
},
"help": {
"markdown": "Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the \u0027subprocess\u0027 module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.command.command-injection-os-system.command-injection-os-system)\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\n",
"text": "Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the \u0027subprocess\u0027 module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.command.command-injection-os-system.command-injection-os-system",
"id": "python.django.security.injection.command.command-injection-os-system.command-injection-os-system",
"name": "python.django.security.injection.command.command-injection-os-system.command-injection-os-system",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.command.command-injection-os-system.command-injection-os-system"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands."
},
"help": {
"markdown": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.command.subprocess-injection.subprocess-injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
"text": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.command.subprocess-injection.subprocess-injection",
"id": "python.django.security.injection.command.subprocess-injection.subprocess-injection",
"name": "python.django.security.injection.command.subprocess-injection.subprocess-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.command.subprocess-injection.subprocess-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found request data in an EmailMessage that is set to use HTML. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS."
},
"help": {
"markdown": "Found request data in an EmailMessage that is set to use HTML. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.email.xss-html-email-body.xss-html-email-body)\n - [https://www.damonkohler.com/2008/12/email-injection.html](https://www.damonkohler.com/2008/12/email-injection.html)\n",
"text": "Found request data in an EmailMessage that is set to use HTML. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.email.xss-html-email-body.xss-html-email-body",
"id": "python.django.security.injection.email.xss-html-email-body.xss-html-email-body",
"name": "python.django.security.injection.email.xss-html-email-body.xss-html-email-body",
"properties": {
"precision": "very-high",
"tags": [
"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.email.xss-html-email-body.xss-html-email-body"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found request data in \u0027send_mail(...)\u0027 that uses \u0027html_message\u0027. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS."
},
"help": {
"markdown": "Found request data in \u0027send_mail(...)\u0027 that uses \u0027html_message\u0027. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message)\n - [https://www.damonkohler.com/2008/12/email-injection.html](https://www.damonkohler.com/2008/12/email-injection.html)\n",
"text": "Found request data in \u0027send_mail(...)\u0027 that uses \u0027html_message\u0027. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message",
"id": "python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message",
"name": "python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message",
"properties": {
"precision": "very-high",
"tags": [
"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Mass assignment detected. This can result in assignment to model fields that are unintended and can be exploited by an attacker. Instead of using \u0027**request.$W\u0027, assign each field you want to edit individually to prevent mass assignment. You can read more about mass assignment at https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html."
},
"help": {
"markdown": "Mass assignment detected. This can result in assignment to model fields that are unintended and can be exploited by an attacker. Instead of using \u0027**request.$W\u0027, assign each field you want to edit individually to prevent mass assignment. You can read more about mass assignment at https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.mass-assignment.mass-assignment)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\n",
"text": "Mass assignment detected. This can result in assignment to model fields that are unintended and can be exploited by an attacker. Instead of using \u0027**request.$W\u0027, assign each field you want to edit individually to prevent mass assignment. You can read more about mass assignment at https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.mass-assignment.mass-assignment",
"id": "python.django.security.injection.mass-assignment.mass-assignment",
"name": "python.django.security.injection.mass-assignment.mass-assignment",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.mass-assignment.mass-assignment"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Data from request ($DATA) is passed to redirect(). This is an open redirect and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url(). See https://cwe.mitre.org/data/definitions/601.html for more information."
},
"help": {
"markdown": "Data from request ($DATA) is passed to redirect(). This is an open redirect and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url(). See https://cwe.mitre.org/data/definitions/601.html for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.open-redirect.open-redirect)\n - [https://www.djm.org.uk/posts/djangos-little-protections-word-redirect-dangers/](https://www.djm.org.uk/posts/djangos-little-protections-word-redirect-dangers/)\n - [https://github.com/django/django/blob/d1b7bd030b1db111e1a3505b1fc029ab964382cc/django/utils/http.py#L231](https://github.com/django/django/blob/d1b7bd030b1db111e1a3505b1fc029ab964382cc/django/utils/http.py#L231)\n",
"text": "Data from request ($DATA) is passed to redirect(). This is an open redirect and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url(). See https://cwe.mitre.org/data/definitions/601.html for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.open-redirect.open-redirect",
"id": "python.django.security.injection.open-redirect.open-redirect",
"name": "python.django.security.injection.open-redirect.open-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.open-redirect.open-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Data from request is passed to a file name `$FILE`. This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library."
},
"help": {
"markdown": "Data from request is passed to a file name `$FILE`. This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n",
"text": "Data from request is passed to a file name `$FILE`. This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name",
"id": "python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name",
"name": "python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library."
},
"help": {
"markdown": "Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n",
"text": "Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join",
"id": "python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join",
"name": "python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found request data in a call to \u0027open\u0027. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library."
},
"help": {
"markdown": "Found request data in a call to \u0027open\u0027. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n",
"text": "Found request data in a call to \u0027open\u0027. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open",
"id": "python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open",
"name": "python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which will safely render HTML instead."
},
"help": {
"markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which will safely render HTML instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.raw-html-format.raw-html-format)\n - [https://docs.djangoproject.com/en/3.2/topics/http/shortcuts/#render](https://docs.djangoproject.com/en/3.2/topics/http/shortcuts/#render)\n - [https://docs.djangoproject.com/en/3.2/topics/security/#cross-site-scripting-xss-protection](https://docs.djangoproject.com/en/3.2/topics/security/#cross-site-scripting-xss-protection)\n",
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which will safely render HTML instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.raw-html-format.raw-html-format",
"id": "python.django.security.injection.raw-html-format.raw-html-format",
"name": "python.django.security.injection.raw-html-format.raw-html-format",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.raw-html-format.raw-html-format"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user-controlled request data passed into HttpResponse. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed."
},
"help": {
"markdown": "Found user-controlled request data passed into HttpResponse. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse)\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\n",
"text": "Found user-controlled request data passed into HttpResponse. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse",
"id": "python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse",
"name": "python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed."
},
"help": {
"markdown": "Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest)\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\n",
"text": "Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest",
"id": "python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest",
"name": "python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse."
},
"help": {
"markdown": "Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse)\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\n",
"text": "Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse",
"id": "python.django.security.injection.request-data-fileresponse.request-data-fileresponse",
"name": "python.django.security.injection.request-data-fileresponse.request-data-fileresponse",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.request-data-fileresponse.request-data-fileresponse"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user-controlled request data passed into \u0027.write(...)\u0027. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized."
},
"help": {
"markdown": "Found user-controlled request data passed into \u0027.write(...)\u0027. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.request-data-write.request-data-write)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Found user-controlled request data passed into \u0027.write(...)\u0027. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.request-data-write.request-data-write",
"id": "python.django.security.injection.request-data-write.request-data-write",
"name": "python.django.security.injection.request-data-write.request-data-write",
"properties": {
"precision": "very-high",
"tags": [
"CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.request-data-write.request-data-write"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User-controlled data from a request is passed to \u0027extra()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string."
},
"help": {
"markdown": "User-controlled data from a request is passed to \u0027extra()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#.objects.extra](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#.objects.extra)\n",
"text": "User-controlled data from a request is passed to \u0027extra()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where",
"id": "python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where",
"name": "python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User-controlled data from request is passed to \u0027RawSQL()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string."
},
"help": {
"markdown": "User-controlled data from request is passed to \u0027RawSQL()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL)\n",
"text": "User-controlled data from request is passed to \u0027RawSQL()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql",
"id": "python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql",
"name": "python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User-controlled data from a request is passed to \u0027execute()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django\u0027s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`."
},
"help": {
"markdown": "User-controlled data from a request is passed to \u0027execute()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django\u0027s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute)\n - [https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection](https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection)\n",
"text": "User-controlled data from a request is passed to \u0027execute()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django\u0027s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute",
"id": "python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute",
"name": "python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Data that is possible user-controlled from a python request is passed to `raw()`. This could lead to SQL injection and attackers gaining access to protected information. Instead, use django\u0027s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`."
},
"help": {
"markdown": "Data that is possible user-controlled from a python request is passed to `raw()`. This could lead to SQL injection and attackers gaining access to protected information. Instead, use django\u0027s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw)\n - [https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection](https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection)\n",
"text": "Data that is possible user-controlled from a python request is passed to `raw()`. This could lead to SQL injection and attackers gaining access to protected information. Instead, use django\u0027s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw",
"id": "python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw",
"name": "python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities."
},
"help": {
"markdown": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n",
"text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests",
"id": "python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests",
"name": "python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF), which could result in attackers gaining access to private organization data. To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request."
},
"help": {
"markdown": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF), which could result in attackers gaining access to private organization data. To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n",
"text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF), which could result in attackers gaining access to private organization data. To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib",
"id": "python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib",
"name": "python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries."
},
"help": {
"markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection](https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection)\n",
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.tainted-sql-string.tainted-sql-string",
"id": "python.django.security.injection.tainted-sql-string.tainted-sql-string",
"name": "python.django.security.injection.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."
},
"help": {
"markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host",
"id": "python.django.security.injection.tainted-url-host.tainted-url-host",
"name": "python.django.security.injection.tainted-url-host.tainted-url-host",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.tainted-url-host.tainted-url-host"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Using \u0027locals()\u0027 as a context to \u0027render(...)\u0027 is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use \u0027locals()\u0027. Instead, specify each variable in a dictionary or \u0027django.template.Context\u0027 object, like \u0027{\"var1\": \"hello\"}\u0027 and use that instead."
},
"help": {
"markdown": "Using \u0027locals()\u0027 as a context to \u0027render(...)\u0027 is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use \u0027locals()\u0027. Instead, specify each variable in a dictionary or \u0027django.template.Context\u0027 object, like \u0027{\"var1\": \"hello\"}\u0027 and use that instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.locals-as-template-context.locals-as-template-context)\n - [https://docs.djangoproject.com/en/3.2/ref/settings/#templates](https://docs.djangoproject.com/en/3.2/ref/settings/#templates)\n - [https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates)\n - [https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context](https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context)\n",
"text": "Using \u0027locals()\u0027 as a context to \u0027render(...)\u0027 is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use \u0027locals()\u0027. Instead, specify each variable in a dictionary or \u0027django.template.Context\u0027 object, like \u0027{\"var1\": \"hello\"}\u0027 and use that instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.locals-as-template-context.locals-as-template-context",
"id": "python.django.security.locals-as-template-context.locals-as-template-context",
"name": "python.django.security.locals-as-template-context.locals-as-template-context",
"properties": {
"precision": "very-high",
"tags": [
"CWE-96: Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.locals-as-template-context.locals-as-template-context"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python\u0027s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string \u0027nan\u0027."
},
"help": {
"markdown": "Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python\u0027s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string \u0027nan\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.nan-injection.nan-injection)\n - [https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868](https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868)\n - [https://blog.bitdiscovery.com/2021/12/python-nan-injection/](https://blog.bitdiscovery.com/2021/12/python-nan-injection/)\n",
"text": "Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python\u0027s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string \u0027nan\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.nan-injection.nan-injection",
"id": "python.django.security.nan-injection.nan-injection",
"name": "python.django.security.nan-injection.nan-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-704: Incorrect Type Conversion or Cast",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.nan-injection.nan-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "\u0027$VAR\u0027 is the empty string and is being used to set the password on \u0027$MODEL\u0027. If you meant to set an unusable password, set the password to None or call \u0027set_unusable_password()\u0027."
},
"help": {
"markdown": "\u0027$VAR\u0027 is the empty string and is being used to set the password on \u0027$MODEL\u0027. If you meant to set an unusable password, set the password to None or call \u0027set_unusable_password()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.passwords.password-empty-string.password-empty-string)\n - [https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password](https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password)\n",
"text": "\u0027$VAR\u0027 is the empty string and is being used to set the password on \u0027$MODEL\u0027. If you meant to set an unusable password, set the password to None or call \u0027set_unusable_password()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.passwords.password-empty-string.password-empty-string",
"id": "python.django.security.passwords.password-empty-string.password-empty-string",
"name": "python.django.security.passwords.password-empty-string.password-empty-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-521: Weak Password Requirements",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.passwords.password-empty-string.password-empty-string"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "\u0027$VAR\u0027 is using the empty string as its default and is being used to set the password on \u0027$MODEL\u0027. If you meant to set an unusable password, set the default value to \u0027None\u0027 or call \u0027set_unusable_password()\u0027."
},
"help": {
"markdown": "\u0027$VAR\u0027 is using the empty string as its default and is being used to set the password on \u0027$MODEL\u0027. If you meant to set an unusable password, set the default value to \u0027None\u0027 or call \u0027set_unusable_password()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.passwords.use-none-for-password-default.use-none-for-password-default)\n - [https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password](https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password)\n",
"text": "\u0027$VAR\u0027 is using the empty string as its default and is being used to set the password on \u0027$MODEL\u0027. If you meant to set an unusable password, set the default value to \u0027None\u0027 or call \u0027set_unusable_password()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.passwords.use-none-for-password-default.use-none-for-password-default",
"id": "python.django.security.passwords.use-none-for-password-default.use-none-for-password-default",
"name": "python.django.security.passwords.use-none-for-password-default.use-none-for-password-default",
"properties": {
"precision": "very-high",
"tags": [
"CWE-521: Weak Password Requirements",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.passwords.use-none-for-password-default.use-none-for-password-default"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `run` or `create` method it can result in running arbitrary container."
},
"help": {
"markdown": "If unverified user data can reach the `run` or `create` method it can result in running arbitrary container.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run)\n - [https://cwe.mitre.org/data/definitions/250.html](https://cwe.mitre.org/data/definitions/250.html)\n",
"text": "If unverified user data can reach the `run` or `create` method it can result in running arbitrary container.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run",
"id": "python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run",
"name": "python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "CORS policy allows any origin (using wildcard \u0027*\u0027). This is insecure and should be avoided."
},
"help": {
"markdown": "CORS policy allows any origin (using wildcard \u0027*\u0027). This is insecure and should be avoided.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.security.wildcard-cors.wildcard-cors)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://cwe.mitre.org/data/definitions/942.html](https://cwe.mitre.org/data/definitions/942.html)\n",
"text": "CORS policy allows any origin (using wildcard \u0027*\u0027). This is insecure and should be avoided.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.fastapi.security.wildcard-cors.wildcard-cors",
"id": "python.fastapi.security.wildcard-cors.wildcard-cors",
"name": "python.fastapi.security.wildcard-cors.wildcard-cors",
"properties": {
"precision": "very-high",
"tags": [
"CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.fastapi.security.wildcard-cors.wildcard-cors"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Flask-caching doesn\u0027t cache query strings by default. You have to use `query_string=True`. Also you shouldn\u0027t cache verbs that can mutate state."
},
"help": {
"markdown": "Flask-caching doesn\u0027t cache query strings by default. You have to use `query_string=True`. Also you shouldn\u0027t cache verbs that can mutate state.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.caching.query-string.flask-cache-query-string)\n",
"text": "Flask-caching doesn\u0027t cache query strings by default. You have to use `query_string=True`. Also you shouldn\u0027t cache verbs that can mutate state.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.caching.query-string.flask-cache-query-string",
"id": "python.flask.caching.query-string.flask-cache-query-string",
"name": "python.flask.caching.query-string.flask-cache-query-string",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.caching.query-string.flask-cache-query-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Running flask app with host 0.0.0.0 could expose the server publicly."
},
"help": {
"markdown": "Running flask app with host 0.0.0.0 could expose the server publicly.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Running flask app with host 0.0.0.0 could expose the server publicly.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host",
"id": "python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host",
"name": "python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host",
"properties": {
"precision": "very-high",
"tags": [
"CWE-668: Exposure of Resource to Wrong Sphere",
"HIGH CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function"
},
"help": {
"markdown": "top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly",
"id": "python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly",
"name": "python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly",
"properties": {
"precision": "very-high",
"tags": [
"CWE-668: Exposure of Resource to Wrong Sphere",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting \u0027debug\u0027 using system environment variables."
},
"help": {
"markdown": "Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting \u0027debug\u0027 using system environment variables.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.debug-enabled.debug-enabled)\n - [https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/](https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/)\n",
"text": "Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting \u0027debug\u0027 using system environment variables.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.debug-enabled.debug-enabled",
"id": "python.flask.security.audit.debug-enabled.debug-enabled",
"name": "python.flask.security.audit.debug-enabled.debug-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-489: Active Debug Code",
"HIGH CONFIDENCE",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.debug-enabled.debug-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected Flask route directly returning a formatted string. This is subject to cross-site scripting if user input can reach the string. Consider using the template engine instead and rendering pages with \u0027render_template()\u0027."
},
"help": {
"markdown": "Detected Flask route directly returning a formatted string. This is subject to cross-site scripting if user input can reach the string. Consider using the template engine instead and rendering pages with \u0027render_template()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.directly-returned-format-string.directly-returned-format-string)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected Flask route directly returning a formatted string. This is subject to cross-site scripting if user input can reach the string. Consider using the template engine instead and rendering pages with \u0027render_template()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.directly-returned-format-string.directly-returned-format-string",
"id": "python.flask.security.audit.directly-returned-format-string.directly-returned-format-string",
"name": "python.flask.security.audit.directly-returned-format-string.directly-returned-format-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.directly-returned-format-string.directly-returned-format-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Function `flask.url_for` with `_external=True` argument will generate URLs using the `Host` header of the HTTP request, which may lead to security risks such as Host header injection"
},
"help": {
"markdown": "Function `flask.url_for` with `_external=True` argument will generate URLs using the `Host` header of the HTTP request, which may lead to security risks such as Host header injection\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true)\n - [https://flask.palletsprojects.com/en/latest/api/#flask.url_for](https://flask.palletsprojects.com/en/latest/api/#flask.url_for)\n - [https://portswigger.net/kb/issues/00500300_host-header-injection](https://portswigger.net/kb/issues/00500300_host-header-injection)\n",
"text": "Function `flask.url_for` with `_external=True` argument will generate URLs using the `Host` header of the HTTP request, which may lead to security risks such as Host header injection\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true",
"id": "python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true",
"name": "python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true",
"properties": {
"precision": "very-high",
"tags": [
"CWE-673: External Influence of Sphere Definition",
"HIGH CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable"
},
"help": {
"markdown": "Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n",
"text": "Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG",
"id": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG",
"name": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG",
"properties": {
"precision": "very-high",
"tags": [
"CWE-489: Active Debug Code",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Hardcoded variable `ENV` detected. Set this by using FLASK_ENV environment variable"
},
"help": {
"markdown": "Hardcoded variable `ENV` detected. Set this by using FLASK_ENV environment variable\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n",
"text": "Hardcoded variable `ENV` detected. Set this by using FLASK_ENV environment variable\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV",
"id": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV",
"name": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV",
"properties": {
"precision": "very-high",
"tags": [
"CWE-489: Active Debug Code",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead"
},
"help": {
"markdown": "Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n",
"text": "Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY",
"id": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY",
"name": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY",
"properties": {
"precision": "very-high",
"tags": [
"CWE-489: Active Debug Code",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Hardcoded variable `TESTING` detected. Use environment variables or config files instead"
},
"help": {
"markdown": "Hardcoded variable `TESTING` detected. Use environment variables or config files instead\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n",
"text": "Hardcoded variable `TESTING` detected. Use environment variables or config files instead\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING",
"id": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING",
"name": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING",
"properties": {
"precision": "very-high",
"tags": [
"CWE-489: Active Debug Code",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks."
},
"help": {
"markdown": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.render-template-string.render-template-string)\n - [https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html](https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html)\n",
"text": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.render-template-string.render-template-string",
"id": "python.flask.security.audit.render-template-string.render-template-string",
"name": "python.flask.security.audit.render-template-string.render-template-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-96: Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.render-template-string.render-template-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found a Flask cookie with insecurely configured properties. By default the secure, httponly and samesite ar configured insecurely. cookies should be handled securely by setting `secure=True`, `httponly=True`, and `samesite=\u0027Lax\u0027` in response.set_cookie(...). If these parameters are not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Include the `secure=True`, `httponly=True`, `samesite=\u0027Lax\u0027` arguments or set these to be true in the Flask configuration."
},
"help": {
"markdown": "Found a Flask cookie with insecurely configured properties. By default the secure, httponly and samesite ar configured insecurely. cookies should be handled securely by setting `secure=True`, `httponly=True`, and `samesite=\u0027Lax\u0027` in response.set_cookie(...). If these parameters are not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Include the `secure=True`, `httponly=True`, `samesite=\u0027Lax\u0027` arguments or set these to be true in the Flask configuration.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.secure-set-cookie.secure-set-cookie)\n - [https://flask.palletsprojects.com/en/3.0.x/api/#flask.Response.set_cookie](https://flask.palletsprojects.com/en/3.0.x/api/#flask.Response.set_cookie)\n - [https://flask.palletsprojects.com/en/3.0.x/security/#set-cookie-options](https://flask.palletsprojects.com/en/3.0.x/security/#set-cookie-options)\n",
"text": "Found a Flask cookie with insecurely configured properties. By default the secure, httponly and samesite ar configured insecurely. cookies should be handled securely by setting `secure=True`, `httponly=True`, and `samesite=\u0027Lax\u0027` in response.set_cookie(...). If these parameters are not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Include the `secure=True`, `httponly=True`, `samesite=\u0027Lax\u0027` arguments or set these to be true in the Flask configuration.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.secure-set-cookie.secure-set-cookie",
"id": "python.flask.security.audit.secure-set-cookie.secure-set-cookie",
"name": "python.flask.security.audit.secure-set-cookie.secure-set-cookie",
"properties": {
"precision": "very-high",
"tags": [
"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.secure-set-cookie.secure-set-cookie"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Setting \u0027WTF_CSRF_ENABLED\u0027 to \u0027False\u0027 explicitly disables CSRF protection."
},
"help": {
"markdown": "Setting \u0027WTF_CSRF_ENABLED\u0027 to \u0027False\u0027 explicitly disables CSRF protection.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled)\n - [https://flask-wtf.readthedocs.io/en/1.2.x/csrf/](https://flask-wtf.readthedocs.io/en/1.2.x/csrf/)\n",
"text": "Setting \u0027WTF_CSRF_ENABLED\u0027 to \u0027False\u0027 explicitly disables CSRF protection.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled",
"id": "python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled",
"name": "python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Be careful with `flask.make_response()`. If this response is rendered onto a webpage, this could create a cross-site scripting (XSS) vulnerability. `flask.make_response()` will not autoescape HTML. If you are rendering HTML, write your HTML in a template file and use `flask.render_template()` which will take care of escaping. If you are returning data from an API, consider using `flask.jsonify()`."
},
"help": {
"markdown": "Be careful with `flask.make_response()`. If this response is rendered onto a webpage, this could create a cross-site scripting (XSS) vulnerability. `flask.make_response()` will not autoescape HTML. If you are rendering HTML, write your HTML in a template file and use `flask.render_template()` which will take care of escaping. If you are returning data from an API, consider using `flask.jsonify()`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content)\n - [https://github.com/python-security/pyt//blob/093a077bcf12d1f58ddeb2d73ddc096623985fb0/examples/vulnerable_code/XSS_assign_to_other_var.py#L11](https://github.com/python-security/pyt//blob/093a077bcf12d1f58ddeb2d73ddc096623985fb0/examples/vulnerable_code/XSS_assign_to_other_var.py#L11)\n - [https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.make_response](https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.make_response)\n - [https://flask.palletsprojects.com/en/1.1.x/api/#response-objects](https://flask.palletsprojects.com/en/1.1.x/api/#response-objects)\n",
"text": "Be careful with `flask.make_response()`. If this response is rendered onto a webpage, this could create a cross-site scripting (XSS) vulnerability. `flask.make_response()` will not autoescape HTML. If you are rendering HTML, write your HTML in a template file and use `flask.render_template()` which will take care of escaping. If you are returning data from an API, consider using `flask.jsonify()`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content",
"id": "python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content",
"name": "python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks."
},
"help": {
"markdown": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.dangerous-template-string.dangerous-template-string)\n - [https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html](https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html)\n - [https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)\n",
"text": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.dangerous-template-string.dangerous-template-string",
"id": "python.flask.security.dangerous-template-string.dangerous-template-string",
"name": "python.flask.security.dangerous-template-string.dangerous-template-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-96: Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.dangerous-template-string.dangerous-template-string"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Method $METHOD in API controller $CLASS provides user arg $ARG to requests method $REQMETHOD"
},
"help": {
"markdown": "Method $METHOD in API controller $CLASS provides user arg $ARG to requests method $REQMETHOD\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.flask-api-method-string-format.flask-api-method-string-format)\n - [https://cwe.mitre.org/data/definitions/134.html](https://cwe.mitre.org/data/definitions/134.html)\n",
"text": "Method $METHOD in API controller $CLASS provides user arg $ARG to requests method $REQMETHOD\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.flask-api-method-string-format.flask-api-method-string-format",
"id": "python.flask.security.flask-api-method-string-format.flask-api-method-string-format",
"name": "python.flask.security.flask-api-method-string-format.flask-api-method-string-format",
"properties": {
"precision": "very-high",
"tags": [
"CWE-134: Use of Externally-Controlled Format String",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.flask-api-method-string-format.flask-api-method-string-format"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs."
},
"help": {
"markdown": "The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret)\n - [https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY](https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY)\n - [http://carnage.github.io/2015/08/cryptanalysis-of-hashids](http://carnage.github.io/2015/08/cryptanalysis-of-hashids)\n",
"text": "The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret",
"id": "python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret",
"name": "python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 \u2013 Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python\u0027s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string \u0027nan\u0027."
},
"help": {
"markdown": "Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python\u0027s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string \u0027nan\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.nan-injection.nan-injection)\n - [https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868](https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868)\n - [https://blog.bitdiscovery.com/2021/12/python-nan-injection/](https://blog.bitdiscovery.com/2021/12/python-nan-injection/)\n",
"text": "Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python\u0027s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string \u0027nan\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.nan-injection.nan-injection",
"id": "python.flask.security.injection.nan-injection.nan-injection",
"name": "python.flask.security.injection.nan-injection.nan-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-704: Incorrect Type Conversion or Cast",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.nan-injection.nan-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "User data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the \u0027subprocess\u0027 module instead and pass the arguments as a list."
},
"help": {
"markdown": "User data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the \u0027subprocess\u0027 module instead and pass the arguments as a list.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.os-system-injection.os-system-injection)\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\n",
"text": "User data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the \u0027subprocess\u0027 module instead and pass the arguments as a list.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.os-system-injection.os-system-injection",
"id": "python.flask.security.injection.os-system-injection.os-system-injection",
"name": "python.flask.security.injection.os-system-injection.os-system-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.os-system-injection.os-system-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found request data in a call to \u0027open\u0027. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks."
},
"help": {
"markdown": "Found request data in a call to \u0027open\u0027. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.path-traversal-open.path-traversal-open)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n",
"text": "Found request data in a call to \u0027open\u0027. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.path-traversal-open.path-traversal-open",
"id": "python.flask.security.injection.path-traversal-open.path-traversal-open",
"name": "python.flask.security.injection.path-traversal-open.path-traversal-open",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.path-traversal-open.path-traversal-open"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`flask.render_template`) which will safely render HTML instead."
},
"help": {
"markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`flask.render_template`) which will safely render HTML instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.raw-html-concat.raw-html-format)\n - [https://flask.palletsprojects.com/en/2.0.x/security/#cross-site-scripting-xss](https://flask.palletsprojects.com/en/2.0.x/security/#cross-site-scripting-xss)\n",
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`flask.render_template`) which will safely render HTML instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.raw-html-concat.raw-html-format",
"id": "python.flask.security.injection.raw-html-concat.raw-html-format",
"name": "python.flask.security.injection.raw-html-concat.raw-html-format",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.raw-html-concat.raw-html-format"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request."
},
"help": {
"markdown": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.ssrf-requests.ssrf-requests)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n",
"text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.ssrf-requests.ssrf-requests",
"id": "python.flask.security.injection.ssrf-requests.ssrf-requests",
"name": "python.flask.security.injection.ssrf-requests.ssrf-requests",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.ssrf-requests.ssrf-requests"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands."
},
"help": {
"markdown": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
"text": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection",
"id": "python.flask.security.injection.subprocess-injection.subprocess-injection",
"name": "python.flask.security.injection.subprocess-injection.subprocess-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.subprocess-injection.subprocess-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries."
},
"help": {
"markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\n",
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string",
"id": "python.flask.security.injection.tainted-sql-string.tainted-sql-string",
"name": "python.flask.security.injection.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-704: Incorrect Type Conversion or Cast",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."
},
"help": {
"markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.tainted-url-host.tainted-url-host",
"id": "python.flask.security.injection.tainted-url-host.tainted-url-host",
"name": "python.flask.security.injection.tainted-url-host.tainted-url-host",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.tainted-url-host.tainted-url-host"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user data flowing into eval. This is code injection and should be avoided."
},
"help": {
"markdown": "Detected user data flowing into eval. This is code injection and should be avoided.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.user-eval.eval-injection)\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\n",
"text": "Detected user data flowing into eval. This is code injection and should be avoided.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.user-eval.eval-injection",
"id": "python.flask.security.injection.user-eval.eval-injection",
"name": "python.flask.security.injection.user-eval.eval-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.user-eval.eval-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user data flowing into exec. This is code injection and should be avoided."
},
"help": {
"markdown": "Detected user data flowing into exec. This is code injection and should be avoided.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection)\n - [https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html)\n",
"text": "Detected user data flowing into exec. This is code injection and should be avoided.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection",
"id": "python.flask.security.injection.user-exec.exec-injection",
"name": "python.flask.security.injection.user-exec.exec-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.user-exec.exec-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected the use of an insecure deserialization library in a Flask route. These libraries are prone to code execution vulnerabilities. Ensure user data does not enter this function. To fix this, try to avoid serializing whole objects. Consider instead using a serializer such as JSON."
},
"help": {
"markdown": "Detected the use of an insecure deserialization library in a Flask route. These libraries are prone to code execution vulnerabilities. Ensure user data does not enter this function. To fix this, try to avoid serializing whole objects. Consider instead using a serializer such as JSON.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.insecure-deserialization.insecure-deserialization)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n",
"text": "Detected the use of an insecure deserialization library in a Flask route. These libraries are prone to code execution vulnerabilities. Ensure user data does not enter this function. To fix this, try to avoid serializing whole objects. Consider instead using a serializer such as JSON.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.insecure-deserialization.insecure-deserialization",
"id": "python.flask.security.insecure-deserialization.insecure-deserialization",
"name": "python.flask.security.insecure-deserialization.insecure-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.insecure-deserialization.insecure-deserialization"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Data from request is passed to redirect(). This is an open redirect and could be exploited. Consider using \u0027url_for()\u0027 to generate links to known locations. If you must use a URL to unknown pages, consider using \u0027urlparse()\u0027 or similar and checking if the \u0027netloc\u0027 property is the same as your site\u0027s host name. See the references for more information."
},
"help": {
"markdown": "Data from request is passed to redirect(). This is an open redirect and could be exploited. Consider using \u0027url_for()\u0027 to generate links to known locations. If you must use a URL to unknown pages, consider using \u0027urlparse()\u0027 or similar and checking if the \u0027netloc\u0027 property is the same as your site\u0027s host name. See the references for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.open-redirect.open-redirect)\n - [https://flask-login.readthedocs.io/en/latest/#login-example](https://flask-login.readthedocs.io/en/latest/#login-example)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html#dangerous-url-redirect-example-1](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html#dangerous-url-redirect-example-1)\n - [https://docs.python.org/3/library/urllib.parse.html#url-parsing](https://docs.python.org/3/library/urllib.parse.html#url-parsing)\n",
"text": "Data from request is passed to redirect(). This is an open redirect and could be exploited. Consider using \u0027url_for()\u0027 to generate links to known locations. If you must use a URL to unknown pages, consider using \u0027urlparse()\u0027 or similar and checking if the \u0027netloc\u0027 property is the same as your site\u0027s host name. See the references for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.open-redirect.open-redirect",
"id": "python.flask.security.open-redirect.open-redirect",
"name": "python.flask.security.open-redirect.open-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.open-redirect.open-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a user-controlled `filename` that could flow to `flask.send_file()` function. This could lead to an attacker reading arbitrary file from the system, leaking private information. Make sure to properly sanitize filename or use `flask.send_from_directory`"
},
"help": {
"markdown": "Detected a user-controlled `filename` that could flow to `flask.send_file()` function. This could lead to an attacker reading arbitrary file from the system, leaking private information. Make sure to properly sanitize filename or use `flask.send_from_directory`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Detected a user-controlled `filename` that could flow to `flask.send_file()` function. This could lead to an attacker reading arbitrary file from the system, leaking private information. Make sure to properly sanitize filename or use `flask.send_from_directory`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization",
"id": "python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization",
"name": "python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-73: External Control of File Name or Path",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Flask does not automatically escape Jinja templates unless they have .html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup for more information."
},
"help": {
"markdown": "Flask does not automatically escape Jinja templates unless they have .html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.unescaped-template-extension.unescaped-template-extension)\n - [https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup](https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup)\n - [https://semgrep.dev/blog/2020/bento-check-unescaped-template-extensions-in-flask/](https://semgrep.dev/blog/2020/bento-check-unescaped-template-extensions-in-flask/)\n - [https://bento.dev/checks/flask/unescaped-file-extension/](https://bento.dev/checks/flask/unescaped-file-extension/)\n",
"text": "Flask does not automatically escape Jinja templates unless they have .html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.unescaped-template-extension.unescaped-template-extension",
"id": "python.flask.security.unescaped-template-extension.unescaped-template-extension",
"name": "python.flask.security.unescaped-template-extension.unescaped-template-extension",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.unescaped-template-extension.unescaped-template-extension"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Flask response reflects unsanitized user input. This could lead to a cross-site scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which an attacker causes arbitrary code to be executed in the user\u0027s browser. To prevent, please sanitize the user input, e.g. by rendering the response in a Jinja2 template (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/)."
},
"help": {
"markdown": "Flask response reflects unsanitized user input. This could lead to a cross-site scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which an attacker causes arbitrary code to be executed in the user\u0027s browser. To prevent, please sanitize the user input, e.g. by rendering the response in a Jinja2 template (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.unsanitized-input.response-contains-unsanitized-input)\n - [https://flask.palletsprojects.com/en/1.0.x/security/](https://flask.palletsprojects.com/en/1.0.x/security/)\n - [https://owasp.org/www-community/attacks/xss/](https://owasp.org/www-community/attacks/xss/)\n",
"text": "Flask response reflects unsanitized user input. This could lead to a cross-site scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which an attacker causes arbitrary code to be executed in the user\u0027s browser. To prevent, please sanitize the user input, e.g. by rendering the response in a Jinja2 template (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.unsanitized-input.response-contains-unsanitized-input",
"id": "python.flask.security.unsanitized-input.response-contains-unsanitized-input",
"name": "python.flask.security.unsanitized-input.response-contains-unsanitized-input",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.unsanitized-input.response-contains-unsanitized-input"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method \u0027render_template()\u0027 and templates with a \u0027.html\u0027 extension in order to prevent XSS."
},
"help": {
"markdown": "Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method \u0027render_template()\u0027 and templates with a \u0027.html\u0027 extension in order to prevent XSS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2)\n - [https://jinja.palletsprojects.com/en/2.11.x/api/#basics](https://jinja.palletsprojects.com/en/2.11.x/api/#basics)\n",
"text": "Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method \u0027render_template()\u0027 and templates with a \u0027.html\u0027 extension in order to prevent XSS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2",
"id": "python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2",
"name": "python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected explicitly unescaped content using \u0027Markup()\u0027. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use \u0027Markup()\u0027."
},
"help": {
"markdown": "Detected explicitly unescaped content using \u0027Markup()\u0027. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use \u0027Markup()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup)\n - [https://tedboy.github.io/flask/generated/generated/flask.Markup.html](https://tedboy.github.io/flask/generated/generated/flask.Markup.html)\n",
"text": "Detected explicitly unescaped content using \u0027Markup()\u0027. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use \u0027Markup()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup",
"id": "python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup",
"name": "python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a segment of a Flask template where autoescaping is explicitly disabled with \u0027{% autoescape off %}\u0027. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability, or turn autoescape on."
},
"help": {
"markdown": "Detected a segment of a Flask template where autoescaping is explicitly disabled with \u0027{% autoescape off %}\u0027. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability, or turn autoescape on.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off)\n - [https://flask.palletsprojects.com/en/1.1.x/templating/#controlling-autoescaping](https://flask.palletsprojects.com/en/1.1.x/templating/#controlling-autoescaping)\n - [https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup](https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup)\n",
"text": "Detected a segment of a Flask template where autoescaping is explicitly disabled with \u0027{% autoescape off %}\u0027. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability, or turn autoescape on.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off",
"id": "python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off",
"name": "python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The object is passed strictly to jwt.encode(...) Make sure that sensitive information is not exposed through JWT token payload."
},
"help": {
"markdown": "The object is passed strictly to jwt.encode(...) Make sure that sensitive information is not exposed through JWT token payload.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "The object is passed strictly to jwt.encode(...) Make sure that sensitive information is not exposed through JWT token payload.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data",
"id": "python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data",
"name": "python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."
},
"help": {
"markdown": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n",
"text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials",
"id": "python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials",
"name": "python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"
},
"help": {
"markdown": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret)\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n",
"text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret",
"id": "python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret",
"name": "python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"HIGH CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027."
},
"help": {
"markdown": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-none-alg.jwt-python-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.jwt.security.jwt-none-alg.jwt-python-none-alg",
"id": "python.jwt.security.jwt-none-alg.jwt-python-none-alg",
"name": "python.jwt.security.jwt-none-alg.jwt-python-none-alg",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.jwt.security.jwt-none-alg.jwt-python-none-alg"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected JWT token decoded with \u0027verify=False\u0027. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified."
},
"help": {
"markdown": "Detected JWT token decoded with \u0027verify=False\u0027. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode)\n - [https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96](https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96)\n",
"text": "Detected JWT token decoded with \u0027verify=False\u0027. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode",
"id": "python.jwt.security.unverified-jwt-decode.unverified-jwt-decode",
"name": "python.jwt.security.unverified-jwt-decode.unverified-jwt-decode",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "the `errors` argument to Popen is only available on Python 3.6+"
},
"help": {
"markdown": "the `errors` argument to Popen is only available on Python 3.6+\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen1)\n",
"text": "the `errors` argument to Popen is only available on Python 3.6+\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen1",
"id": "python.lang.compatibility.python36.python36-compatibility-Popen1",
"name": "python.lang.compatibility.python36.python36-compatibility-Popen1",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python36.python36-compatibility-Popen1"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "the `encoding` argument to Popen is only available on Python 3.6+"
},
"help": {
"markdown": "the `encoding` argument to Popen is only available on Python 3.6+\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2)\n",
"text": "the `encoding` argument to Popen is only available on Python 3.6+\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2",
"id": "python.lang.compatibility.python36.python36-compatibility-Popen2",
"name": "python.lang.compatibility.python36.python36-compatibility-Popen2",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python36.python36-compatibility-Popen2"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "this function is only available on Python 3.6+"
},
"help": {
"markdown": "this function is only available on Python 3.6+\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-ssl)\n",
"text": "this function is only available on Python 3.6+\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-ssl",
"id": "python.lang.compatibility.python36.python36-compatibility-ssl",
"name": "python.lang.compatibility.python36.python36-compatibility-ssl",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python36.python36-compatibility-ssl"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found usage of the \u0027blocksize\u0027 argument in a HTTPConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below."
},
"help": {
"markdown": "Found usage of the \u0027blocksize\u0027 argument in a HTTPConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpconn)\n",
"text": "Found usage of the \u0027blocksize\u0027 argument in a HTTPConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpconn",
"id": "python.lang.compatibility.python37.python37-compatibility-httpconn",
"name": "python.lang.compatibility.python37.python37-compatibility-httpconn",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-httpconn"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found usage of the \u0027blocksize\u0027 argument in a HTTPSConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below."
},
"help": {
"markdown": "Found usage of the \u0027blocksize\u0027 argument in a HTTPSConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpsconn)\n",
"text": "Found usage of the \u0027blocksize\u0027 argument in a HTTPSConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpsconn",
"id": "python.lang.compatibility.python37.python37-compatibility-httpsconn",
"name": "python.lang.compatibility.python37.python37-compatibility-httpsconn",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-httpsconn"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "source_hash\u0027 is only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Instead, use another hash function."
},
"help": {
"markdown": "source_hash\u0027 is only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Instead, use another hash function.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib)\n",
"text": "source_hash\u0027 is only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Instead, use another hash function.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib",
"id": "python.lang.compatibility.python37.python37-compatibility-importlib",
"name": "python.lang.compatibility.python37.python37-compatibility-importlib",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-importlib"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found \u0027importlib.resources\u0027, which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions."
},
"help": {
"markdown": "Found \u0027importlib.resources\u0027, which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2)\n",
"text": "Found \u0027importlib.resources\u0027, which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2",
"id": "python.lang.compatibility.python37.python37-compatibility-importlib2",
"name": "python.lang.compatibility.python37.python37-compatibility-importlib2",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-importlib2"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found usage of \u0027importlib.abc.ResourceReader\u0027. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader."
},
"help": {
"markdown": "Found usage of \u0027importlib.abc.ResourceReader\u0027. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib3)\n",
"text": "Found usage of \u0027importlib.abc.ResourceReader\u0027. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib3",
"id": "python.lang.compatibility.python37.python37-compatibility-importlib3",
"name": "python.lang.compatibility.python37.python37-compatibility-importlib3",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-importlib3"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "IPv4Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in \u0027subnets\u0027."
},
"help": {
"markdown": "IPv4Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in \u0027subnets\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv4network1)\n",
"text": "IPv4Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in \u0027subnets\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv4network1",
"id": "python.lang.compatibility.python37.python37-compatibility-ipv4network1",
"name": "python.lang.compatibility.python37.python37-compatibility-ipv4network1",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-ipv4network1"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "IPv4Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in \u0027supernet\u0027."
},
"help": {
"markdown": "IPv4Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in \u0027supernet\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv4network2)\n",
"text": "IPv4Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in \u0027supernet\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv4network2",
"id": "python.lang.compatibility.python37.python37-compatibility-ipv4network2",
"name": "python.lang.compatibility.python37.python37-compatibility-ipv4network2",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-ipv4network2"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "IPv6Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in \u0027subnets\u0027."
},
"help": {
"markdown": "IPv6Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in \u0027subnets\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network1)\n",
"text": "IPv6Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in \u0027subnets\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network1",
"id": "python.lang.compatibility.python37.python37-compatibility-ipv6network1",
"name": "python.lang.compatibility.python37.python37-compatibility-ipv6network1",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-ipv6network1"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "IPv6Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in \u0027supernet\u0027."
},
"help": {
"markdown": "IPv6Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in \u0027supernet\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network2)\n",
"text": "IPv6Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in \u0027supernet\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network2",
"id": "python.lang.compatibility.python37.python37-compatibility-ipv6network2",
"name": "python.lang.compatibility.python37.python37-compatibility-ipv6network2",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-ipv6network2"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found usage of the \u0027monetary\u0027 argument in a function call of \u0027locale.format_string\u0027. This is only available on Python 3.7+ and is therefore not backwards compatible. Instead, remove the \u0027monetary\u0027 argument."
},
"help": {
"markdown": "Found usage of the \u0027monetary\u0027 argument in a function call of \u0027locale.format_string\u0027. This is only available on Python 3.7+ and is therefore not backwards compatible. Instead, remove the \u0027monetary\u0027 argument.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-locale1)\n",
"text": "Found usage of the \u0027monetary\u0027 argument in a function call of \u0027locale.format_string\u0027. This is only available on Python 3.7+ and is therefore not backwards compatible. Instead, remove the \u0027monetary\u0027 argument.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-locale1",
"id": "python.lang.compatibility.python37.python37-compatibility-locale1",
"name": "python.lang.compatibility.python37.python37-compatibility-locale1",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-locale1"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "math.remainder is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use math.fmod() or calculate $X - n* $Y."
},
"help": {
"markdown": "math.remainder is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use math.fmod() or calculate $X - n* $Y.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-math1)\n",
"text": "math.remainder is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use math.fmod() or calculate $X - n* $Y.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-math1",
"id": "python.lang.compatibility.python37.python37-compatibility-math1",
"name": "python.lang.compatibility.python37.python37-compatibility-math1",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-math1"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "multiprocessing.Process.close() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use join()."
},
"help": {
"markdown": "multiprocessing.Process.close() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use join().\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess1)\n",
"text": "multiprocessing.Process.close() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use join().\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess1",
"id": "python.lang.compatibility.python37.python37-compatibility-multiprocess1",
"name": "python.lang.compatibility.python37.python37-compatibility-multiprocess1",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-multiprocess1"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate()."
},
"help": {
"markdown": "multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate().\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2)\n",
"text": "multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate().\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2",
"id": "python.lang.compatibility.python37.python37-compatibility-multiprocess2",
"name": "python.lang.compatibility.python37.python37-compatibility-multiprocess2",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-multiprocess2"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread()."
},
"help": {
"markdown": "os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread().\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1)\n",
"text": "os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread().\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1",
"id": "python.lang.compatibility.python37.python37-compatibility-os1",
"name": "python.lang.compatibility.python37.python37-compatibility-os1",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-os1"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "os.pwritev() is only available on Python 3.3+ and is therefore not backwards compatible. Instead, use a combination of pwrite() and writev()."
},
"help": {
"markdown": "os.pwritev() is only available on Python 3.3+ and is therefore not backwards compatible. Instead, use a combination of pwrite() and writev().\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os2-ok2)\n",
"text": "os.pwritev() is only available on Python 3.3+ and is therefore not backwards compatible. Instead, use a combination of pwrite() and writev().\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os2-ok2",
"id": "python.lang.compatibility.python37.python37-compatibility-os2-ok2",
"name": "python.lang.compatibility.python37.python37-compatibility-os2-ok2",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-os2-ok2"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "pdb.set_trace() with the header argument is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use set_trace() without the header argument."
},
"help": {
"markdown": "pdb.set_trace() with the header argument is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use set_trace() without the header argument.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-pdb)\n",
"text": "pdb.set_trace() with the header argument is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use set_trace() without the header argument.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-pdb",
"id": "python.lang.compatibility.python37.python37-compatibility-pdb",
"name": "python.lang.compatibility.python37.python37-compatibility-pdb",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-pdb"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found usage of \u0027importlib.abc.ResourceReader\u0027. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader."
},
"help": {
"markdown": "Found usage of \u0027importlib.abc.ResourceReader\u0027. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper)\n",
"text": "Found usage of \u0027importlib.abc.ResourceReader\u0027. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper",
"id": "python.lang.compatibility.python37.python37-compatibility-textiowrapper",
"name": "python.lang.compatibility.python37.python37-compatibility-textiowrapper",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-textiowrapper"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection"
},
"help": {
"markdown": "The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv)\n - [https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection](https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection)\n",
"text": "The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv",
"id": "python.lang.security.audit.conn_recv.multiprocessing-recv",
"name": "python.lang.security.audit.conn_recv.multiprocessing-recv",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.conn_recv.multiprocessing-recv"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Annotations passed to `typing.get_type_hints` are evaluated in `globals` and `locals` namespaces. Make sure that no arbitrary value can be written as the annotation and passed to `typing.get_type_hints` function."
},
"help": {
"markdown": "Annotations passed to `typing.get_type_hints` are evaluated in `globals` and `locals` namespaces. Make sure that no arbitrary value can be written as the annotation and passed to `typing.get_type_hints` function.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage)\n - [https://docs.python.org/3/library/typing.html#typing.get_type_hints](https://docs.python.org/3/library/typing.html#typing.get_type_hints)\n",
"text": "Annotations passed to `typing.get_type_hints` are evaluated in `globals` and `locals` namespaces. Make sure that no arbitrary value can be written as the annotation and passed to `typing.get_type_hints` function.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage",
"id": "python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage",
"name": "python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a dynamic value being used with urllib. urllib supports \u0027file://\u0027 schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the \u0027requests\u0027 library instead."
},
"help": {
"markdown": "Detected a dynamic value being used with urllib. urllib supports \u0027file://\u0027 schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the \u0027requests\u0027 library instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected)\n - [https://cwe.mitre.org/data/definitions/939.html](https://cwe.mitre.org/data/definitions/939.html)\n",
"text": "Detected a dynamic value being used with urllib. urllib supports \u0027file://\u0027 schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the \u0027requests\u0027 library instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected",
"id": "python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected",
"name": "python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected",
"properties": {
"precision": "very-high",
"tags": [
"CWE-939: Improper Authorization in Handler for Custom URL Scheme",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."
},
"help": {
"markdown": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.eval-detected.eval-detected)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.eval-detected.eval-detected",
"id": "python.lang.security.audit.eval-detected.eval-detected",
"name": "python.lang.security.audit.eval-detected.eval-detected",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.eval-detected.eval-detected"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."
},
"help": {
"markdown": "Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected",
"id": "python.lang.security.audit.exec-detected.exec-detected",
"name": "python.lang.security.audit.exec-detected.exec-detected",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.exec-detected.exec-detected"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected possible formatted SQL query. Use parameterized queries instead."
},
"help": {
"markdown": "Detected possible formatted SQL query. Use parameterized queries instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query)\n - [https://stackoverflow.com/questions/775296/mysql-parameterized-queries](https://stackoverflow.com/questions/775296/mysql-parameterized-queries)\n",
"text": "Detected possible formatted SQL query. Use parameterized queries instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query",
"id": "python.lang.security.audit.formatted-sql-query.formatted-sql-query",
"name": "python.lang.security.audit.formatted-sql-query.formatted-sql-query",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.formatted-sql-query.formatted-sql-query"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Hardcoded password is used as a default argument to \u0027$FUNC\u0027. This could be dangerous if a real password is not supplied."
},
"help": {
"markdown": "Hardcoded password is used as a default argument to \u0027$FUNC\u0027. This could be dangerous if a real password is not supplied.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Hardcoded password is used as a default argument to \u0027$FUNC\u0027. This could be dangerous if a real password is not supplied.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument",
"id": "python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument",
"name": "python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information."
},
"help": {
"markdown": "The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.httpsconnection-detected.httpsconnection-detected)\n - [https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection](https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection)\n",
"text": "The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.httpsconnection-detected.httpsconnection-detected",
"id": "python.lang.security.audit.httpsconnection-detected.httpsconnection-detected",
"name": "python.lang.security.audit.httpsconnection-detected.httpsconnection-detected",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.httpsconnection-detected.httpsconnection-detected"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else."
},
"help": {
"markdown": "These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions",
"id": "python.lang.security.audit.insecure-file-permissions.insecure-file-permissions",
"name": "python.lang.security.audit.insecure-file-permissions.insecure-file-permissions",
"properties": {
"precision": "very-high",
"tags": [
"CWE-276: Incorrect Default Permissions",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-file-permissions.insecure-file-permissions"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "The \u0027FTP\u0027 class sends information unencrypted. Consider using the \u0027FTP_TLS\u0027 class instead."
},
"help": {
"markdown": "The \u0027FTP\u0027 class sends information unencrypted. Consider using the \u0027FTP_TLS\u0027 class instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls)\n - [https://docs.python.org/3/library/ftplib.html#ftplib.FTP_TLS](https://docs.python.org/3/library/ftplib.html#ftplib.FTP_TLS)\n",
"text": "The \u0027FTP\u0027 class sends information unencrypted. Consider using the \u0027FTP_TLS\u0027 class instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls",
"id": "python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls",
"name": "python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Detected a request using \u0027http://\u0027. This request will be unencrypted. Use \u0027https://\u0027 instead."
},
"help": {
"markdown": "Detected a request using \u0027http://\u0027. This request will be unencrypted. Use \u0027https://\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected a request using \u0027http://\u0027. This request will be unencrypted. Use \u0027https://\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context",
"id": "python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context",
"name": "python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Detected a request using \u0027http://\u0027. This request will be unencrypted. Use \u0027https://\u0027 instead."
},
"help": {
"markdown": "Detected a request using \u0027http://\u0027. This request will be unencrypted. Use \u0027https://\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected a request using \u0027http://\u0027. This request will be unencrypted. Use \u0027https://\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http",
"id": "python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http",
"name": "python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Detected a request using \u0027http://\u0027. This request will be unencrypted, and attackers could listen into traffic on the network and be able to obtain sensitive information. Use \u0027https://\u0027 instead."
},
"help": {
"markdown": "Detected a request using \u0027http://\u0027. This request will be unencrypted, and attackers could listen into traffic on the network and be able to obtain sensitive information. Use \u0027https://\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected a request using \u0027http://\u0027. This request will be unencrypted, and attackers could listen into traffic on the network and be able to obtain sensitive information. Use \u0027https://\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http",
"id": "python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http",
"name": "python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The \u0027ssl\u0027 module disables insecure cipher suites by default. Therefore, use of \u0027set_ciphers()\u0027 should only be used when you have very specialized requirements. Otherwise, you risk lowering the security of the SSL channel."
},
"help": {
"markdown": "The \u0027ssl\u0027 module disables insecure cipher suites by default. Therefore, use of \u0027set_ciphers()\u0027 should only be used when you have very specialized requirements. Otherwise, you risk lowering the security of the SSL channel.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers)\n - [https://docs.python.org/3/library/ssl.html#cipher-selection](https://docs.python.org/3/library/ssl.html#cipher-selection)\n - [https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers](https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers)\n",
"text": "The \u0027ssl\u0027 module disables insecure cipher suites by default. Therefore, use of \u0027set_ciphers()\u0027 should only be used when you have very specialized requirements. Otherwise, you risk lowering the security of the SSL channel.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers",
"id": "python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers",
"name": "python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an unsecured transmission channel. \u0027OpenerDirector.open(...)\u0027 is being used with \u0027ftp://\u0027. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP."
},
"help": {
"markdown": "Detected an unsecured transmission channel. \u0027OpenerDirector.open(...)\u0027 is being used with \u0027ftp://\u0027. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open)\n",
"text": "Detected an unsecured transmission channel. \u0027OpenerDirector.open(...)\u0027 is being used with \u0027ftp://\u0027. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an unsecured transmission channel. \u0027OpenerDirector.open(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel."
},
"help": {
"markdown": "Detected an unsecured transmission channel. \u0027OpenerDirector.open(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open)\n",
"text": "Detected an unsecured transmission channel. \u0027OpenerDirector.open(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a \u0027urllib.request.Request()\u0027 object using an insecure transport protocol, \u0027ftp://\u0027. This connection will not be encrypted. Consider using SFTP instead. urllib does not support SFTP natively, so consider using a library which supports SFTP."
},
"help": {
"markdown": "Detected a \u0027urllib.request.Request()\u0027 object using an insecure transport protocol, \u0027ftp://\u0027. This connection will not be encrypted. Consider using SFTP instead. urllib does not support SFTP natively, so consider using a library which supports SFTP.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.Request](https://docs.python.org/3/library/urllib.request.html#urllib.request.Request)\n",
"text": "Detected a \u0027urllib.request.Request()\u0027 object using an insecure transport protocol, \u0027ftp://\u0027. This connection will not be encrypted. Consider using SFTP instead. urllib does not support SFTP natively, so consider using a library which supports SFTP.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a \u0027urllib.request.Request()\u0027 object using an insecure transport protocol, \u0027http://\u0027. This connection will not be encrypted. Use \u0027https://\u0027 instead."
},
"help": {
"markdown": "Detected a \u0027urllib.request.Request()\u0027 object using an insecure transport protocol, \u0027http://\u0027. This connection will not be encrypted. Use \u0027https://\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.Request](https://docs.python.org/3/library/urllib.request.html#urllib.request.Request)\n",
"text": "Detected a \u0027urllib.request.Request()\u0027 object using an insecure transport protocol, \u0027http://\u0027. This connection will not be encrypted. Use \u0027https://\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected \u0027urllib.urlopen()\u0027 using \u0027ftp://\u0027. This request will not be encrypted. Consider using SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP."
},
"help": {
"markdown": "Detected \u0027urllib.urlopen()\u0027 using \u0027ftp://\u0027. This request will not be encrypted. Consider using SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen](https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen)\n",
"text": "Detected \u0027urllib.urlopen()\u0027 using \u0027ftp://\u0027. This request will not be encrypted. Consider using SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected \u0027urllib.urlopen()\u0027 using \u0027http://\u0027. This request will not be encrypted. Use \u0027https://\u0027 instead."
},
"help": {
"markdown": "Detected \u0027urllib.urlopen()\u0027 using \u0027http://\u0027. This request will not be encrypted. Use \u0027https://\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen](https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen)\n",
"text": "Detected \u0027urllib.urlopen()\u0027 using \u0027http://\u0027. This request will not be encrypted. Use \u0027https://\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an insecure transmission channel. \u0027URLopener.open(...)\u0027 is being used with \u0027ftp://\u0027. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP."
},
"help": {
"markdown": "Detected an insecure transmission channel. \u0027URLopener.open(...)\u0027 is being used with \u0027ftp://\u0027. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open)\n",
"text": "Detected an insecure transmission channel. \u0027URLopener.open(...)\u0027 is being used with \u0027ftp://\u0027. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an unsecured transmission channel. \u0027URLopener.open(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel."
},
"help": {
"markdown": "Detected an unsecured transmission channel. \u0027URLopener.open(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open)\n",
"text": "Detected an unsecured transmission channel. \u0027URLopener.open(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an insecure transmission channel. \u0027URLopener.retrieve(...)\u0027 is being used with \u0027ftp://\u0027. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP."
},
"help": {
"markdown": "Detected an insecure transmission channel. \u0027URLopener.retrieve(...)\u0027 is being used with \u0027ftp://\u0027. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve](https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve)\n",
"text": "Detected an insecure transmission channel. \u0027URLopener.retrieve(...)\u0027 is being used with \u0027ftp://\u0027. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an unsecured transmission channel. \u0027URLopener.retrieve(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel."
},
"help": {
"markdown": "Detected an unsecured transmission channel. \u0027URLopener.retrieve(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve](https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve)\n",
"text": "Detected an unsecured transmission channel. \u0027URLopener.retrieve(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected \u0027urllib.urlretrieve()\u0027 using \u0027ftp://\u0027. This request will not be encrypted. Use SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP."
},
"help": {
"markdown": "Detected \u0027urllib.urlretrieve()\u0027 using \u0027ftp://\u0027. This request will not be encrypted. Use SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve](https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve)\n",
"text": "Detected \u0027urllib.urlretrieve()\u0027 using \u0027ftp://\u0027. This request will not be encrypted. Use SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected \u0027urllib.urlretrieve()\u0027 using \u0027http://\u0027. This request will not be encrypted. Use \u0027https://\u0027 instead."
},
"help": {
"markdown": "Detected \u0027urllib.urlretrieve()\u0027 using \u0027http://\u0027. This request will not be encrypted. Use \u0027https://\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve](https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve)\n",
"text": "Detected \u0027urllib.urlretrieve()\u0027 using \u0027http://\u0027. This request will not be encrypted. Use \u0027https://\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations."
},
"help": {
"markdown": "Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval)\n - [https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen](https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen)\n",
"text": "Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval",
"id": "python.lang.security.audit.logging.listeneval.listen-eval",
"name": "python.lang.security.audit.logging.listeneval.listen-eval",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.logging.listeneval.listen-eval"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information."
},
"help": {
"markdown": "Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures)\n",
"text": "Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure",
"id": "python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure",
"name": "python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-532: Insertion of Sensitive Information into Log File",
"MEDIUM CONFIDENCE",
"OWASP-A09:2021 - Security Logging and Monitoring Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using \u0027| u\u0027 for URL escaping or \u0027| h\u0027 for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping."
},
"help": {
"markdown": "Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using \u0027| u\u0027 for URL escaping or \u0027| h\u0027 for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected)\n - [https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping](https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping)\n - [https://jinja.palletsprojects.com/en/2.11.x/intro/#](https://jinja.palletsprojects.com/en/2.11.x/intro/#)\n",
"text": "Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using \u0027| u\u0027 for URL escaping or \u0027| h\u0027 for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected",
"id": "python.lang.security.audit.mako-templates-detected.mako-templates-detected",
"name": "python.lang.security.audit.mako-templates-detected.mako-templates-detected",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.mako-templates-detected.mako-templates-detected"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security"
},
"help": {
"markdown": "The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.marshal.marshal-usage)\n - [https://docs.python.org/3/library/marshal.html?highlight=security](https://docs.python.org/3/library/marshal.html?highlight=security)\n",
"text": "The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.marshal.marshal-usage",
"id": "python.lang.security.audit.marshal.marshal-usage",
"name": "python.lang.security.audit.marshal.marshal-usage",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.marshal.marshal-usage"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`."
},
"help": {
"markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://docs.python.org/3/library/hashlib.html#hashlib.scrypt](https://docs.python.org/3/library/hashlib.html#hashlib.scrypt)\n",
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password",
"id": "python.lang.security.audit.md5-used-as-password.md5-used-as-password",
"name": "python.lang.security.audit.md5-used-as-password.md5-used-as-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.md5-used-as-password.md5-used-as-password"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Running `socket.bind` to 0.0.0.0, or empty string could unexpectedly expose the server publicly as it binds to all available interfaces. Consider instead getting correct address from an environment variable or configuration file."
},
"help": {
"markdown": "Running `socket.bind` to 0.0.0.0, or empty string could unexpectedly expose the server publicly as it binds to all available interfaces. Consider instead getting correct address from an environment variable or configuration file.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Running `socket.bind` to 0.0.0.0, or empty string could unexpectedly expose the server publicly as it binds to all available interfaces. Consider instead getting correct address from an environment variable or configuration file.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces",
"id": "python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces",
"name": "python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"HIGH CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "certificate verification explicitly disabled, insecure connections possible"
},
"help": {
"markdown": "certificate verification explicitly disabled, insecure connections possible\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "certificate verification explicitly disabled, insecure connections possible\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation",
"id": "python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation",
"name": "python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications."
},
"help": {
"markdown": "Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.network.http-not-https-connection.http-not-https-connection)\n - [https://urllib3.readthedocs.io/en/1.2.1/pools.html#urllib3.connectionpool.HTTPSConnectionPool](https://urllib3.readthedocs.io/en/1.2.1/pools.html#urllib3.connectionpool.HTTPSConnectionPool)\n",
"text": "Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.network.http-not-https-connection.http-not-https-connection",
"id": "python.lang.security.audit.network.http-not-https-connection.http-not-https-connection",
"name": "python.lang.security.audit.network.http-not-https-connection.http-not-https-connection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.network.http-not-https-connection.http-not-https-connection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code."
},
"help": {
"markdown": "Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.non-literal-import.non-literal-import)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.non-literal-import.non-literal-import",
"id": "python.lang.security.audit.non-literal-import.non-literal-import",
"name": "python.lang.security.audit.non-literal-import.non-literal-import",
"properties": {
"precision": "very-high",
"tags": [
"CWE-706: Use of Incorrectly-Resolved Name or Reference",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.non-literal-import.non-literal-import"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a paramiko host key policy that implicitly trusts a server\u0027s host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead."
},
"help": {
"markdown": "Detected a paramiko host key policy that implicitly trusts a server\u0027s host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key)\n - [http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.AutoAddPolicy](http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.AutoAddPolicy)\n",
"text": "Detected a paramiko host key policy that implicitly trusts a server\u0027s host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key",
"id": "python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key",
"name": "python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-322: Key Exchange without Entity Authentication",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use \u0027ssl.create_default_context()\u0027 instead."
},
"help": {
"markdown": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use \u0027ssl.create_default_context()\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command)\n - [http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command](http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command)\n - [https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py](https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py)\n",
"text": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use \u0027ssl.create_default_context()\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command",
"id": "python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command",
"name": "python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT"
},
"help": {
"markdown": "Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.python-reverse-shell.python-reverse-shell)\n - [https://cwe.mitre.org/data/definitions/553.html](https://cwe.mitre.org/data/definitions/553.html)\n",
"text": "Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.python-reverse-shell.python-reverse-shell",
"id": "python.lang.security.audit.python-reverse-shell.python-reverse-shell",
"name": "python.lang.security.audit.python-reverse-shell.python-reverse-shell",
"properties": {
"precision": "very-high",
"tags": [
"CWE-553: Command Shell in Externally Accessible Directory",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.python-reverse-shell.python-reverse-shell"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security."
},
"help": {
"markdown": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sha224-hash.sha224-hash)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\n",
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.sha224-hash.sha224-hash",
"id": "python.lang.security.audit.sha224-hash.sha224-hash",
"name": "python.lang.security.audit.sha224-hash.sha224-hash",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.sha224-hash.sha224-hash"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in an aiopg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can create parameterized queries like so: \u0027cur.execute(\"SELECT %s FROM table\", (user_value,))\u0027."
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in an aiopg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can create parameterized queries like so: \u0027cur.execute(\"SELECT %s FROM table\", (user_value,))\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli)\n - [https://github.com/aio-libs/aiopg](https://github.com/aio-libs/aiopg)\n",
"text": "Detected string concatenation with a non-literal variable in an aiopg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can create parameterized queries like so: \u0027cur.execute(\"SELECT %s FROM table\", (user_value,))\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli",
"id": "python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli",
"name": "python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: \u0027conn.fetch(\"SELECT $1 FROM table\", value)\u0027. You can also create prepared statements with \u0027Connection.prepare\u0027: \u0027stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)\u0027"
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: \u0027conn.fetch(\"SELECT $1 FROM table\", value)\u0027. You can also create prepared statements with \u0027Connection.prepare\u0027: \u0027stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)\u0027\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli)\n - [https://github.com/MagicStack/asyncpg](https://github.com/MagicStack/asyncpg)\n - [https://magicstack.github.io/asyncpg/current/](https://magicstack.github.io/asyncpg/current/)\n",
"text": "Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: \u0027conn.fetch(\"SELECT $1 FROM table\", value)\u0027. You can also create prepared statements with \u0027Connection.prepare\u0027: \u0027stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)\u0027\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli",
"id": "python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli",
"name": "python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a pg8000 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: \u0027conn.run(\"SELECT :value FROM table\", value=myvalue)\u0027. You can also create prepared statements with \u0027conn.prepare\u0027: \u0027conn.prepare(\"SELECT (:v) FROM table\")\u0027"
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a pg8000 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: \u0027conn.run(\"SELECT :value FROM table\", value=myvalue)\u0027. You can also create prepared statements with \u0027conn.prepare\u0027: \u0027conn.prepare(\"SELECT (:v) FROM table\")\u0027\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli)\n - [https://github.com/tlocke/pg8000](https://github.com/tlocke/pg8000)\n",
"text": "Detected string concatenation with a non-literal variable in a pg8000 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: \u0027conn.run(\"SELECT :value FROM table\", value=myvalue)\u0027. You can also create prepared statements with \u0027conn.prepare\u0027: \u0027conn.prepare(\"SELECT (:v) FROM table\")\u0027\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli",
"id": "python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli",
"name": "python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a \u0027sql.SQL\u0027 string. You can also use the pyformat binding style to create parameterized queries. For example: \u0027cur.execute(SELECT * FROM table WHERE name=%s, user_input)\u0027"
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a \u0027sql.SQL\u0027 string. You can also use the pyformat binding style to create parameterized queries. For example: \u0027cur.execute(SELECT * FROM table WHERE name=%s, user_input)\u0027\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli)\n - [https://www.psycopg.org/docs/sql.html](https://www.psycopg.org/docs/sql.html)\n",
"text": "Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a \u0027sql.SQL\u0027 string. You can also use the pyformat binding style to create parameterized queries. For example: \u0027cur.execute(SELECT * FROM table WHERE name=%s, user_input)\u0027\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli",
"id": "python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli",
"name": "python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027ssl.wrap_socket()\u0027 is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using \u0027ssl.SSLContext()\u0027 and use that to wrap a socket."
},
"help": {
"markdown": "\u0027ssl.wrap_socket()\u0027 is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using \u0027ssl.SSLContext()\u0027 and use that to wrap a socket.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated)\n - [https://docs.python.org/3/library/ssl.html#ssl.wrap_socket](https://docs.python.org/3/library/ssl.html#ssl.wrap_socket)\n - [https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket](https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket)\n",
"text": "\u0027ssl.wrap_socket()\u0027 is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using \u0027ssl.SSLContext()\u0027 and use that to wrap a socket.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated",
"id": "python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated",
"name": "python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found \u0027subprocess\u0027 function \u0027$FUNC\u0027 with \u0027shell=True\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027shell=False\u0027 instead."
},
"help": {
"markdown": "Found \u0027subprocess\u0027 function \u0027$FUNC\u0027 with \u0027shell=True\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027shell=False\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.subprocess-shell-true.subprocess-shell-true)\n - [https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess](https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess)\n - [https://docs.python.org/3/library/subprocess.html](https://docs.python.org/3/library/subprocess.html)\n",
"text": "Found \u0027subprocess\u0027 function \u0027$FUNC\u0027 with \u0027shell=True\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027shell=False\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.subprocess-shell-true.subprocess-shell-true",
"id": "python.lang.security.audit.subprocess-shell-true.subprocess-shell-true",
"name": "python.lang.security.audit.subprocess-shell-true.subprocess-shell-true",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.subprocess-shell-true.subprocess-shell-true"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named \u0027-e sh script.sh\u0027 -- this will execute a script when \u0027rsync\u0027 is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information."
},
"help": {
"markdown": "Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named \u0027-e sh script.sh\u0027 -- this will execute a script when \u0027rsync\u0027 is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected)\n - [https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt](https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt)\n",
"text": "Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named \u0027-e sh script.sh\u0027 -- this will execute a script when \u0027rsync\u0027 is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected",
"id": "python.lang.security.audit.system-wildcard-detected.system-wildcard-detected",
"name": "python.lang.security.audit.system-wildcard-detected.system-wildcard-detected",
"properties": {
"precision": "very-high",
"tags": [
"CWE-155: Improper Neutralization of Wildcards or Matching Symbols",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.system-wildcard-detected.system-wildcard-detected"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Telnet does not encrypt communications. Use SSH instead."
},
"help": {
"markdown": "Telnet does not encrypt communications. Use SSH instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.telnetlib.telnetlib)\n - [https://docs.python.org/3/library/telnetlib.html](https://docs.python.org/3/library/telnetlib.html)\n",
"text": "Telnet does not encrypt communications. Use SSH instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.telnetlib.telnetlib",
"id": "python.lang.security.audit.telnetlib.telnetlib",
"name": "python.lang.security.audit.telnetlib.telnetlib",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.telnetlib.telnetlib"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use \u0027ssl.PROTOCOL_TLSv1_2\u0027 or higher."
},
"help": {
"markdown": "An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use \u0027ssl.PROTOCOL_TLSv1_2\u0027 or higher.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.weak-ssl-version.weak-ssl-version)\n - [https://tools.ietf.org/html/rfc7568](https://tools.ietf.org/html/rfc7568)\n - [https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html](https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html)\n - [https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLSv1_2](https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLSv1_2)\n",
"text": "An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use \u0027ssl.PROTOCOL_TLSv1_2\u0027 or higher.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.weak-ssl-version.weak-ssl-version",
"id": "python.lang.security.audit.weak-ssl-version.weak-ssl-version",
"name": "python.lang.security.audit.weak-ssl-version.weak-ssl-version",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.weak-ssl-version.weak-ssl-version"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code."
},
"help": {
"markdown": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-code-run.dangerous-interactive-code-run)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
"text": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-code-run.dangerous-interactive-code-run",
"id": "python.lang.security.dangerous-code-run.dangerous-interactive-code-run",
"name": "python.lang.security.dangerous-code-run.dangerous-interactive-code-run",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.dangerous-code-run.dangerous-interactive-code-run"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found non static data as an index to \u0027globals()\u0027. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use \u0027globals()\u0027."
},
"help": {
"markdown": "Found non static data as an index to \u0027globals()\u0027. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use \u0027globals()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-globals-use.dangerous-globals-use)\n - [https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186](https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186)\n",
"text": "Found non static data as an index to \u0027globals()\u0027. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use \u0027globals()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-globals-use.dangerous-globals-use",
"id": "python.lang.security.dangerous-globals-use.dangerous-globals-use",
"name": "python.lang.security.dangerous-globals-use.dangerous-globals-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-96: Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.dangerous-globals-use.dangerous-globals-use"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands."
},
"help": {
"markdown": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-os-exec.dangerous-os-exec)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
"text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-os-exec.dangerous-os-exec",
"id": "python.lang.security.dangerous-os-exec.dangerous-os-exec",
"name": "python.lang.security.dangerous-os-exec.dangerous-os-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.dangerous-os-exec.dangerous-os-exec"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands."
},
"help": {
"markdown": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-spawn-process.dangerous-spawn-process)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
"text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-spawn-process.dangerous-spawn-process",
"id": "python.lang.security.dangerous-spawn-process.dangerous-spawn-process",
"name": "python.lang.security.dangerous-spawn-process.dangerous-spawn-process",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.dangerous-spawn-process.dangerous-spawn-process"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code."
},
"help": {
"markdown": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string)\n - [https://bugs.python.org/issue43472](https://bugs.python.org/issue43472)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
"text": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string",
"id": "python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string",
"name": "python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected subprocess function \u0027$FUNC\u0027 with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using \u0027shlex.escape()\u0027."
},
"help": {
"markdown": "Detected subprocess function \u0027$FUNC\u0027 with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using \u0027shlex.escape()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use)\n - [https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess](https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess)\n - [https://docs.python.org/3/library/subprocess.html](https://docs.python.org/3/library/subprocess.html)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
"text": "Detected subprocess function \u0027$FUNC\u0027 with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using \u0027shlex.escape()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use",
"id": "python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use",
"name": "python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the \u0027subprocess\u0027 module instead, which is easier to use without accidentally exposing a command injection vulnerability."
},
"help": {
"markdown": "Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the \u0027subprocess\u0027 module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-system-call.dangerous-system-call)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
"text": "Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the \u0027subprocess\u0027 module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-system-call.dangerous-system-call",
"id": "python.lang.security.dangerous-system-call.dangerous-system-call",
"name": "python.lang.security.dangerous-system-call.dangerous-system-call",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.dangerous-system-call.dangerous-system-call"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code."
},
"help": {
"markdown": "Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
"text": "Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp",
"id": "python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp",
"name": "python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module."
},
"help": {
"markdown": "Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle)\n - [https://github.com/jsonpickle/jsonpickle#jsonpickle](https://github.com/jsonpickle/jsonpickle#jsonpickle)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n",
"text": "Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle",
"id": "python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle",
"name": "python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead."
},
"help": {
"markdown": "Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n",
"text": "Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load",
"id": "python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load",
"name": "python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ=\u0027rt\u0027)` or `YAML(typ=\u0027safe\u0027)` instead."
},
"help": {
"markdown": "Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ=\u0027rt\u0027)` or `YAML(typ=\u0027safe\u0027)` instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel)\n - [https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ](https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ)\n",
"text": "Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ=\u0027rt\u0027)` or `YAML(typ=\u0027safe\u0027)` instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel",
"id": "python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel",
"name": "python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."
},
"help": {
"markdown": "Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n",
"text": "Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle",
"id": "python.lang.security.deserialization.pickle.avoid-cPickle",
"name": "python.lang.security.deserialization.pickle.avoid-cPickle",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.deserialization.pickle.avoid-cPickle"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid using `dill`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."
},
"help": {
"markdown": "Avoid using `dill`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-dill)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n",
"text": "Avoid using `dill`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-dill",
"id": "python.lang.security.deserialization.pickle.avoid-dill",
"name": "python.lang.security.deserialization.pickle.avoid-dill",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.deserialization.pickle.avoid-dill"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."
},
"help": {
"markdown": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-pickle)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n",
"text": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-pickle",
"id": "python.lang.security.deserialization.pickle.avoid-pickle",
"name": "python.lang.security.deserialization.pickle.avoid-pickle",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.deserialization.pickle.avoid-pickle"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid using `shelve`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."
},
"help": {
"markdown": "Avoid using `shelve`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-shelve)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n",
"text": "Avoid using `shelve`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-shelve",
"id": "python.lang.security.deserialization.pickle.avoid-shelve",
"name": "python.lang.security.deserialization.pickle.avoid-shelve",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.deserialization.pickle.avoid-shelve"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
},
"help": {
"markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1",
"id": "python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1",
"name": "python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using \u0027SHA256\u0027 or a similar function instead."
},
"help": {
"markdown": "Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using \u0027SHA256\u0027 or a similar function instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-hash-function.insecure-hash-function)\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
"text": "Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using \u0027SHA256\u0027 or a similar function instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.insecure-hash-function.insecure-hash-function",
"id": "python.lang.security.insecure-hash-function.insecure-hash-function",
"name": "python.lang.security.insecure-hash-function.insecure-hash-function",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.insecure-hash-function.insecure-hash-function"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security."
},
"help": {
"markdown": "Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version)\n - [https://www.landh.tech/blog/20230811-sandwich-attack/](https://www.landh.tech/blog/20230811-sandwich-attack/)\n",
"text": "Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version",
"id": "python.lang.security.insecure-uuid-version.insecure-uuid-version",
"name": "python.lang.security.insecure-uuid-version.insecure-uuid-version",
"properties": {
"precision": "very-high",
"tags": [
"CWE-330: Use of Insufficiently Random Values",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.insecure-uuid-version.insecure-uuid-version"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use \u0027ssl.create_default_context\u0027 instead."
},
"help": {
"markdown": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use \u0027ssl.create_default_context\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context)\n - [https://docs.python.org/3/library/ssl.html#ssl-security](https://docs.python.org/3/library/ssl.html#ssl-security)\n - [https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection](https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection)\n",
"text": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use \u0027ssl.create_default_context\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context",
"id": "python.lang.security.unverified-ssl-context.unverified-ssl-context",
"name": "python.lang.security.unverified-ssl-context.unverified-ssl-context",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.unverified-ssl-context.unverified-ssl-context"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and \"XML bombs\" can cause denial of service. Do not use this library to parse untrusted input. Instead the Python documentation recommends using `defusedxml`."
},
"help": {
"markdown": "The native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and \"XML bombs\" can cause denial of service. Do not use this library to parse untrusted input. Instead the Python documentation recommends using `defusedxml`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.use-defused-xml-parse.use-defused-xml-parse)\n - [https://docs.python.org/3/library/xml.html](https://docs.python.org/3/library/xml.html)\n - [https://github.com/tiran/defusedxml](https://github.com/tiran/defusedxml)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n",
"text": "The native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and \"XML bombs\" can cause denial of service. Do not use this library to parse untrusted input. Instead the Python documentation recommends using `defusedxml`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.use-defused-xml-parse.use-defused-xml-parse",
"id": "python.lang.security.use-defused-xml-parse.use-defused-xml-parse",
"name": "python.lang.security.use-defused-xml-parse.use-defused-xml-parse",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"MEDIUM CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.use-defused-xml-parse.use-defused-xml-parse"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead."
},
"help": {
"markdown": "Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n",
"text": "Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc",
"id": "python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc",
"name": "python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc",
"properties": {
"precision": "very-high",
"tags": [
"CWE-776: Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)",
"LOW CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected Blowfish cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."
},
"help": {
"markdown": "Detected Blowfish cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish)\n - [https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption](https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n",
"text": "Detected Blowfish cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish",
"id": "python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish",
"name": "python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."
},
"help": {
"markdown": "Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des)\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n",
"text": "Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des",
"id": "python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des",
"name": "python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected RC2 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."
},
"help": {
"markdown": "Detected RC2 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2)\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n",
"text": "Detected RC2 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2",
"id": "python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2",
"name": "python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."
},
"help": {
"markdown": "Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4)\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n",
"text": "Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4",
"id": "python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4",
"name": "python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead."
},
"help": {
"markdown": "Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor)\n - [https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption](https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption)\n",
"text": "Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor",
"id": "python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor",
"name": "python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."
},
"help": {
"markdown": "Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2)\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
"text": "Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2",
"id": "python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2",
"name": "python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."
},
"help": {
"markdown": "Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4)\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
"text": "Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4",
"id": "python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4",
"name": "python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."
},
"help": {
"markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5)\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5",
"id": "python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5",
"name": "python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
},
"help": {
"markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1",
"id": "python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1",
"name": "python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher."
},
"help": {
"markdown": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size)\n - [https://www.pycryptodome.org/src/public_key/dsa](https://www.pycryptodome.org/src/public_key/dsa)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf)\n",
"text": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size",
"id": "python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size",
"name": "python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an insufficient key size for RSA. NIST recommends a key size of 3072 or higher."
},
"help": {
"markdown": "Detected an insufficient key size for RSA. NIST recommends a key size of 3072 or higher.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\n - [https://www.pycryptodome.org/src/public_key/rsa#rsa](https://www.pycryptodome.org/src/public_key/rsa#rsa)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf)\n",
"text": "Detected an insufficient key size for RSA. NIST recommends a key size of 3072 or higher.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
"id": "python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
"name": "python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details)."
},
"help": {
"markdown": "Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth)\n - [https://cwe.mitre.org/data/definitions/477.html](https://cwe.mitre.org/data/definitions/477.html)\n",
"text": "Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth",
"id": "python.pymongo.security.mongodb.mongo-client-bad-auth",
"name": "python.pymongo.security.mongodb.mongo-client-bad-auth",
"properties": {
"precision": "very-high",
"tags": [
"CWE-477: Use of Obsolete Function",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pymongo.security.mongodb.mongo-client-bad-auth"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected data rendered directly to the end user via \u0027Response\u0027. This bypasses Pyramid\u0027s built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Pyramid\u0027s template engines to safely render HTML."
},
"help": {
"markdown": "Detected data rendered directly to the end user via \u0027Response\u0027. This bypasses Pyramid\u0027s built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Pyramid\u0027s template engines to safely render HTML.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected data rendered directly to the end user via \u0027Response\u0027. This bypasses Pyramid\u0027s built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Pyramid\u0027s template engines to safely render HTML.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response",
"id": "python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response",
"name": "python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements."
},
"help": {
"markdown": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection)\n - [https://docs.sqlalchemy.org/en/14/tutorial/data_select.html#tutorial-selecting-data](https://docs.sqlalchemy.org/en/14/tutorial/data_select.html#tutorial-selecting-data)\n",
"text": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection",
"id": "python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection",
"name": "python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation."
},
"help": {
"markdown": "Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation)\n - [https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib](https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib)\n",
"text": "Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation",
"id": "python.requests.security.disabled-cert-validation.disabled-cert-validation",
"name": "python.requests.security.disabled-cert-validation.disabled-cert-validation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.requests.security.disabled-cert-validation.disabled-cert-validation"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Authentication detected over HTTP. HTTP does not provide any encryption or protection for these authentication credentials. This may expose these credentials to unauthorized parties. Use \u0027https://\u0027 instead."
},
"help": {
"markdown": "Authentication detected over HTTP. HTTP does not provide any encryption or protection for these authentication credentials. This may expose these credentials to unauthorized parties. Use \u0027https://\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.requests.security.no-auth-over-http.no-auth-over-http)\n - [https://semgrep.dev/blog/2020/bento-check-no-auth-over-http/](https://semgrep.dev/blog/2020/bento-check-no-auth-over-http/)\n - [https://bento.dev/checks/requests/no-auth-over-http/](https://bento.dev/checks/requests/no-auth-over-http/)\n",
"text": "Authentication detected over HTTP. HTTP does not provide any encryption or protection for these authentication credentials. This may expose these credentials to unauthorized parties. Use \u0027https://\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.requests.security.no-auth-over-http.no-auth-over-http",
"id": "python.requests.security.no-auth-over-http.no-auth-over-http",
"name": "python.requests.security.no-auth-over-http.no-auth-over-http",
"properties": {
"precision": "very-high",
"tags": [
"CWE-523: Unprotected Transport of Credentials",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.requests.security.no-auth-over-http.no-auth-over-http"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected string concatenation or formatting in a call to a command via \u0027sh\u0027. This could be a command injection vulnerability if the data is user-controlled. Instead, use a list and append the argument."
},
"help": {
"markdown": "Detected string concatenation or formatting in a call to a command via \u0027sh\u0027. This could be a command injection vulnerability if the data is user-controlled. Instead, use a list and append the argument.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.sh.security.string-concat.string-concat)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected string concatenation or formatting in a call to a command via \u0027sh\u0027. This could be a command injection vulnerability if the data is user-controlled. Instead, use a list and append the argument.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.sh.security.string-concat.string-concat",
"id": "python.sh.security.string-concat.string-concat",
"name": "python.sh.security.string-concat.string-concat",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.sh.security.string-concat.string-concat"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Rather than adding one element at a time, consider batch loading to improve performance."
},
"help": {
"markdown": "Rather than adding one element at a time, consider batch loading to improve performance.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.batch-import)\n",
"text": "Rather than adding one element at a time, consider batch loading to improve performance.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.batch-import",
"id": "python.sqlalchemy.performance.performance-improvements.batch-import",
"name": "python.sqlalchemy.performance.performance-improvements.batch-import",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.sqlalchemy.performance.performance-improvements.batch-import"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side."
},
"help": {
"markdown": "Using QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.len-all-count)\n",
"text": "Using QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.len-all-count",
"id": "python.sqlalchemy.performance.performance-improvements.len-all-count",
"name": "python.sqlalchemy.performance.performance-improvements.len-all-count",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.sqlalchemy.performance.performance-improvements.len-all-count"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "sqlalchemy.text passes the constructed SQL statement to the database mostly unchanged. This means that the usual SQL injection protections are not applied and this function is vulnerable to SQL injection if user input can reach here. Use normal SQLAlchemy operators (such as `or_()`, `and_()`, etc.) to construct SQL."
},
"help": {
"markdown": "sqlalchemy.text passes the constructed SQL statement to the database mostly unchanged. This means that the usual SQL injection protections are not applied and this function is vulnerable to SQL injection if user input can reach here. Use normal SQLAlchemy operators (such as `or_()`, `and_()`, etc.) to construct SQL.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n",
"text": "sqlalchemy.text passes the constructed SQL statement to the database mostly unchanged. This means that the usual SQL injection protections are not applied and this function is vulnerable to SQL injection if user input can reach here. Use normal SQLAlchemy operators (such as `or_()`, `and_()`, etc.) to construct SQL.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text",
"id": "python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text",
"name": "python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option."
},
"help": {
"markdown": "Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\n",
"text": "Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query",
"id": "python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query",
"name": "python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements."
},
"help": {
"markdown": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection",
"id": "python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection",
"name": "python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using non-constant TwiML (Twilio Markup Language) argument when creating a Twilio conversation could allow the injection of additional TwiML commands"
},
"help": {
"markdown": "Using non-constant TwiML (Twilio Markup Language) argument when creating a Twilio conversation could allow the injection of additional TwiML commands\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.twilio.security.twiml-injection.twiml-injection)\n - [https://codeberg.org/fennix/funjection](https://codeberg.org/fennix/funjection)\n",
"text": "Using non-constant TwiML (Twilio Markup Language) argument when creating a Twilio conversation could allow the injection of additional TwiML commands\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.twilio.security.twiml-injection.twiml-injection",
"id": "python.twilio.security.twiml-injection.twiml-injection",
"name": "python.twilio.security.twiml-injection.twiml-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-91: XML Injection",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.twilio.security.twiml-injection.twiml-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql [\"SELECT title FROM posts WHERE author = ? AND created \u003e ?\", author_id, start_date]`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql [\"SELECT title FROM posts WHERE author = ? AND created \u003e ?\", author_id, start_date]`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli)\n - [https://guides.rubyonrails.org/active_record_querying.html#finding-by-sql](https://guides.rubyonrails.org/active_record_querying.html#finding-by-sql)\n",
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql [\"SELECT title FROM posts WHERE author = ? AND created \u003e ?\", author_id, start_date]`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli",
"id": "ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli",
"name": "ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli)\n - [https://github.com/brianmario/mysql2](https://github.com/brianmario/mysql2)\n",
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli",
"id": "ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli",
"name": "ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params(\u0027SELECT $1 AS a, $2 AS b, $3 AS c\u0027, [1, 2, nil])`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params(\u0027SELECT $1 AS a, $2 AS b, $3 AS c\u0027, [1, 2, nil])`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.pg-sqli.pg-sqli)\n - [https://www.rubydoc.info/gems/pg/PG/Connection](https://www.rubydoc.info/gems/pg/PG/Connection)\n",
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params(\u0027SELECT $1 AS a, $2 AS b, $3 AS c\u0027, [1, 2, nil])`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.pg-sqli.pg-sqli",
"id": "ruby.aws-lambda.security.pg-sqli.pg-sqli",
"name": "ruby.aws-lambda.security.pg-sqli.pg-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.aws-lambda.security.pg-sqli.pg-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB[\u0027select * from items where name = ?\u0027, name]`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB[\u0027select * from items where name = ?\u0027, name]`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli)\n - [https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries](https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries)\n",
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB[\u0027select * from items where name = ?\u0027, name]`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli",
"id": "ruby.aws-lambda.security.sequel-sqli.sequel-sqli",
"name": "ruby.aws-lambda.security.sequel-sqli.sequel-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.aws-lambda.security.sequel-sqli.sequel-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning \u0027primitive\u0027 types such as strings, arrays, hashes, numbers and nil."
},
"help": {
"markdown": "Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning \u0027primitive\u0027 types such as strings, arrays, hashes, numbers and nil.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization)\n - [https://ruby-doc.org/core-3.1.2/doc/security_rdoc.html](https://ruby-doc.org/core-3.1.2/doc/security_rdoc.html)\n - [https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ](https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb)\n",
"text": "Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning \u0027primitive\u0027 types such as strings, arrays, hashes, numbers and nil.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization",
"id": "ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization",
"name": "ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."
},
"help": {
"markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet](https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet)\n",
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"id": "ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"name": "ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims."
},
"help": {
"markdown": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
"text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify",
"id": "ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify",
"name": "ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify",
"properties": {
"precision": "very-high",
"tags": [
"CWE-345: Insufficient Verification of Data Authenticity",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload."
},
"help": {
"markdown": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data",
"id": "ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data",
"name": "ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."
},
"help": {
"markdown": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n",
"text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials",
"id": "ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials",
"name": "ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"
},
"help": {
"markdown": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret",
"id": "ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret",
"name": "ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027."
},
"help": {
"markdown": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg",
"id": "ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg",
"name": "ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security."
},
"help": {
"markdown": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.audit.sha224-hash.sha224-hash)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\n",
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.audit.sha224-hash.sha224-hash",
"id": "ruby.lang.security.audit.sha224-hash.sha224-hash",
"name": "ruby.lang.security.audit.sha224-hash.sha224-hash",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.audit.sha224-hash.sha224-hash"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Checks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with MARSHAL or CSV can potentially be dangerous. Use JSON in a secure fashion instead."
},
"help": {
"markdown": "Checks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with MARSHAL or CSV can potentially be dangerous. Use JSON in a secure fashion instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.bad-deserialization.bad-deserialization)\n - [https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ](https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb)\n",
"text": "Checks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with MARSHAL or CSV can potentially be dangerous. Use JSON in a secure fashion instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.bad-deserialization.bad-deserialization",
"id": "ruby.lang.security.bad-deserialization.bad-deserialization",
"name": "ruby.lang.security.bad-deserialization.bad-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.bad-deserialization.bad-deserialization"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice."
},
"help": {
"markdown": "Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb)\n - [https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/](https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/)\n",
"text": "Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization",
"id": "ruby.lang.security.cookie-serialization.cookie-serialization",
"name": "ruby.lang.security.cookie-serialization.cookie-serialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.cookie-serialization.cookie-serialization"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Checks for strong parameter bypass through usage of create_with. Create_with bypasses strong parameter protection, which could allow attackers to set arbitrary attributes on models. To fix this vulnerability, either remove all create_with calls or use the permit function to specify tags that are allowed to be set."
},
"help": {
"markdown": "Checks for strong parameter bypass through usage of create_with. Create_with bypasses strong parameter protection, which could allow attackers to set arbitrary attributes on models. To fix this vulnerability, either remove all create_with calls or use the permit function to specify tags that are allowed to be set.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.create-with.create-with)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_create_with.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_create_with.rb)\n - [https://groups.google.com/g/rubyonrails-security/c/M4chq5Sb540/m/CC1Fh0Y_NWwJ](https://groups.google.com/g/rubyonrails-security/c/M4chq5Sb540/m/CC1Fh0Y_NWwJ)\n",
"text": "Checks for strong parameter bypass through usage of create_with. Create_with bypasses strong parameter protection, which could allow attackers to set arbitrary attributes on models. To fix this vulnerability, either remove all create_with calls or use the permit function to specify tags that are allowed to be set.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.create-with.create-with",
"id": "ruby.lang.security.create-with.create-with",
"name": "ruby.lang.security.create-with.create-with",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.create-with.create-with"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected non-static command inside $EXEC. Audit the input to \u0027$EXEC\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
},
"help": {
"markdown": "Detected non-static command inside $EXEC. Audit the input to \u0027$EXEC\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec)\n - [https://guides.rubyonrails.org/security.html#command-line-injection](https://guides.rubyonrails.org/security.html#command-line-injection)\n",
"text": "Detected non-static command inside $EXEC. Audit the input to \u0027$EXEC\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec",
"id": "ruby.lang.security.dangerous-exec.dangerous-exec",
"name": "ruby.lang.security.dangerous-exec.dangerous-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.dangerous-exec.dangerous-exec"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected non-static command inside \u0027open\u0027. Audit the input to \u0027open\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
},
"help": {
"markdown": "Detected non-static command inside \u0027open\u0027. Audit the input to \u0027open\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected non-static command inside \u0027open\u0027. Audit the input to \u0027open\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open",
"id": "ruby.lang.security.dangerous-open.dangerous-open",
"name": "ruby.lang.security.dangerous-open.dangerous-open",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.dangerous-open.dangerous-open"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected non-static command inside $PIPE. Audit the input to \u0027$PIPE\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
},
"help": {
"markdown": "Detected non-static command inside $PIPE. Audit the input to \u0027$PIPE\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected non-static command inside $PIPE. Audit the input to \u0027$PIPE\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline",
"id": "ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline",
"name": "ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
},
"help": {
"markdown": "Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell",
"id": "ruby.lang.security.dangerous-subshell.dangerous-subshell",
"name": "ruby.lang.security.dangerous-subshell.dangerous-subshell",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.dangerous-subshell.dangerous-subshell"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027syscall\u0027 is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming."
},
"help": {
"markdown": "\u0027syscall\u0027 is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "\u0027syscall\u0027 is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall",
"id": "ruby.lang.security.dangerous-syscall.dangerous-syscall",
"name": "ruby.lang.security.dangerous-syscall.dangerous-syscall",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.dangerous-syscall.dangerous-syscall"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a possible ZeroDivisionError."
},
"help": {
"markdown": "Detected a possible ZeroDivisionError.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.divide-by-zero.divide-by-zero)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_divide_by_zero.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_divide_by_zero.rb)\n",
"text": "Detected a possible ZeroDivisionError.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.divide-by-zero.divide-by-zero",
"id": "ruby.lang.security.divide-by-zero.divide-by-zero",
"name": "ruby.lang.security.divide-by-zero.divide-by-zero",
"properties": {
"precision": "very-high",
"tags": [
"CWE-369: Divide By Zero",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.divide-by-zero.divide-by-zero"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Special requests can determine whether a file exists on a filesystem that\u0027s outside the Rails app\u0027s root directory. To fix this, set config.serve_static_assets = false."
},
"help": {
"markdown": "Special requests can determine whether a file exists on a filesystem that\u0027s outside the Rails app\u0027s root directory. To fix this, set config.serve_static_assets = false.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.file-disclosure.file-disclosure)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_file_disclosure.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_file_disclosure.rb)\n - [https://groups.google.com/g/rubyonrails-security/c/23fiuwb1NBA/m/MQVM1-5GkPMJ](https://groups.google.com/g/rubyonrails-security/c/23fiuwb1NBA/m/MQVM1-5GkPMJ)\n",
"text": "Special requests can determine whether a file exists on a filesystem that\u0027s outside the Rails app\u0027s root directory. To fix this, set config.serve_static_assets = false.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.file-disclosure.file-disclosure",
"id": "ruby.lang.security.file-disclosure.file-disclosure",
"name": "ruby.lang.security.file-disclosure.file-disclosure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.file-disclosure.file-disclosure"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true."
},
"help": {
"markdown": "Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.force-ssl-false.force-ssl-false)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb)\n",
"text": "Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.force-ssl-false.force-ssl-false",
"id": "ruby.lang.security.force-ssl-false.force-ssl-false",
"name": "ruby.lang.security.force-ssl-false.force-ssl-false",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"HIGH CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.force-ssl-false.force-ssl-false"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files."
},
"help": {
"markdown": "Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller",
"id": "ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller",
"name": "ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file."
},
"help": {
"markdown": "Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n",
"text": "Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase",
"id": "ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase",
"name": "ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher."
},
"help": {
"markdown": "The RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n",
"text": "The RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
"id": "ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
"name": "ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks if HTML escaping is globally disabled for JSON output. This could lead to XSS."
},
"help": {
"markdown": "Checks if HTML escaping is globally disabled for JSON output. This could lead to XSS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.json-entity-escape.json-entity-escape)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Checks if HTML escaping is globally disabled for JSON output. This could lead to XSS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.json-entity-escape.json-entity-escape",
"id": "ruby.lang.security.json-entity-escape.json-entity-escape",
"name": "ruby.lang.security.json-entity-escape.json-entity-escape",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.json-entity-escape.json-entity-escape"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Mass assignment protection disabled for \u0027$MODEL\u0027. This could permit assignment to sensitive model fields without intention. Instead, use \u0027attr_accessible\u0027 for the model or disable mass assigment using \u0027config.active_record.whitelist_attributes = true\u0027. \u0027:without_protection =\u003e true\u0027 must be removed for this to take effect."
},
"help": {
"markdown": "Mass assignment protection disabled for \u0027$MODEL\u0027. This could permit assignment to sensitive model fields without intention. Instead, use \u0027attr_accessible\u0027 for the model or disable mass assigment using \u0027config.active_record.whitelist_attributes = true\u0027. \u0027:without_protection =\u003e true\u0027 must be removed for this to take effect.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
"text": "Mass assignment protection disabled for \u0027$MODEL\u0027. This could permit assignment to sensitive model fields without intention. Instead, use \u0027attr_accessible\u0027 for the model or disable mass assigment using \u0027config.active_record.whitelist_attributes = true\u0027. \u0027:without_protection =\u003e true\u0027 must be removed for this to take effect.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled",
"id": "ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled",
"name": "ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem."
},
"help": {
"markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n",
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.md5-used-as-password.md5-used-as-password",
"id": "ruby.lang.security.md5-used-as-password.md5-used-as-password",
"name": "ruby.lang.security.md5-used-as-password.md5-used-as-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.md5-used-as-password.md5-used-as-password"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected controller which does not enable cross-site request forgery protections using \u0027protect_from_forgery\u0027. Add \u0027protect_from_forgery :with =\u003e :exception\u0027 to your controller class."
},
"help": {
"markdown": "Detected controller which does not enable cross-site request forgery protections using \u0027protect_from_forgery\u0027. Add \u0027protect_from_forgery :with =\u003e :exception\u0027 to your controller class.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.missing-csrf-protection.missing-csrf-protection)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Detected controller which does not enable cross-site request forgery protections using \u0027protect_from_forgery\u0027. Add \u0027protect_from_forgery :with =\u003e :exception\u0027 to your controller class.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.missing-csrf-protection.missing-csrf-protection",
"id": "ruby.lang.security.missing-csrf-protection.missing-csrf-protection",
"name": "ruby.lang.security.missing-csrf-protection.missing-csrf-protection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.missing-csrf-protection.missing-csrf-protection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Checks for dangerous permitted attributes that can lead to mass assignment vulnerabilities. Query parameters allowed using permit and attr_accessible are checked for allowance of dangerous attributes admin, banned, role, and account_id. Also checks for usages of params.permit!, which allows everything. Fix: don\u0027t allow admin, banned, role, and account_id using permit or attr_accessible."
},
"help": {
"markdown": "Checks for dangerous permitted attributes that can lead to mass assignment vulnerabilities. Query parameters allowed using permit and attr_accessible are checked for allowance of dangerous attributes admin, banned, role, and account_id. Also checks for usages of params.permit!, which allows everything. Fix: don\u0027t allow admin, banned, role, and account_id using permit or attr_accessible.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.model-attr-accessible.model-attr-accessible)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attr_accessible.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attr_accessible.rb)\n",
"text": "Checks for dangerous permitted attributes that can lead to mass assignment vulnerabilities. Query parameters allowed using permit and attr_accessible are checked for allowance of dangerous attributes admin, banned, role, and account_id. Also checks for usages of params.permit!, which allows everything. Fix: don\u0027t allow admin, banned, role, and account_id using permit or attr_accessible.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.model-attr-accessible.model-attr-accessible",
"id": "ruby.lang.security.model-attr-accessible.model-attr-accessible",
"name": "ruby.lang.security.model-attr-accessible.model-attr-accessible",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.model-attr-accessible.model-attr-accessible"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Checks for models that do not use attr_accessible. This means there is no limiting of which variables can be manipulated through mass assignment. For newer Rails applications, parameters should be allowlisted using strong parameters. For older Rails versions, they should be allowlisted using strong_attributes."
},
"help": {
"markdown": "Checks for models that do not use attr_accessible. This means there is no limiting of which variables can be manipulated through mass assignment. For newer Rails applications, parameters should be allowlisted using strong parameters. For older Rails versions, they should be allowlisted using strong_attributes.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attributes.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attributes.rb)\n",
"text": "Checks for models that do not use attr_accessible. This means there is no limiting of which variables can be manipulated through mass assignment. For newer Rails applications, parameters should be allowlisted using strong parameters. For older Rails versions, they should be allowlisted using strong_attributes.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible",
"id": "ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible",
"name": "ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use of eval with user-controllable input detected. This can lead to attackers running arbitrary code. Ensure external data does not reach here, otherwise this is a security vulnerability. Consider other ways to do this without eval."
},
"help": {
"markdown": "Use of eval with user-controllable input detected. This can lead to attackers running arbitrary code. Ensure external data does not reach here, otherwise this is a security vulnerability. Consider other ways to do this without eval.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.no-eval.ruby-eval)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Use of eval with user-controllable input detected. This can lead to attackers running arbitrary code. Ensure external data does not reach here, otherwise this is a security vulnerability. Consider other ways to do this without eval.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.no-eval.ruby-eval",
"id": "ruby.lang.security.no-eval.ruby-eval",
"name": "ruby.lang.security.no-eval.ruby-eval",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.no-eval.ruby-eval"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this."
},
"help": {
"markdown": "Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.no-send.bad-send)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb)\n - [https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html](https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html)\n",
"text": "Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.no-send.bad-send",
"id": "ruby.lang.security.no-send.bad-send",
"name": "ruby.lang.security.no-send.bad-send",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.no-send.bad-send"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks. Use \u0027OpenSSL::SSL::VERIFY_PEER\u0027 instead."
},
"help": {
"markdown": "Detected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks. Use \u0027OpenSSL::SSL::VERIFY_PEER\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Detected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks. Use \u0027OpenSSL::SSL::VERIFY_PEER\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify",
"id": "ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify",
"name": "ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don\u0027t use :without_protection =\u003e true. Instead, configure attr_accessible to control attribute access."
},
"help": {
"markdown": "Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don\u0027t use :without_protection =\u003e true. Instead, configure attr_accessible to control attribute access.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb)\n - [https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/](https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/)\n",
"text": "Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don\u0027t use :without_protection =\u003e true. Instead, configure attr_accessible to control attribute access.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln",
"id": "ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln",
"name": "ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Should not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions, leading to potential collision attacks. Use SHA256 or other hashing functions instead."
},
"help": {
"markdown": "Should not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions, leading to potential collision attacks. Use SHA256 or other hashing functions instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.weak-hashes-md5.weak-hashes-md5)\n - [https://www.ibm.com/support/pages/security-bulletin-vulnerability-md5-signature-and-hash-algorithm-affects-sterling-integrator-and-sterling-file-gateway-cve-2015-7575](https://www.ibm.com/support/pages/security-bulletin-vulnerability-md5-signature-and-hash-algorithm-affects-sterling-integrator-and-sterling-file-gateway-cve-2015-7575)\n",
"text": "Should not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions, leading to potential collision attacks. Use SHA256 or other hashing functions instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.weak-hashes-md5.weak-hashes-md5",
"id": "ruby.lang.security.weak-hashes-md5.weak-hashes-md5",
"name": "ruby.lang.security.weak-hashes-md5.weak-hashes-md5",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.weak-hashes-md5.weak-hashes-md5"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead."
},
"help": {
"markdown": "Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1)\n - [https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html](https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html)\n - [https://shattered.io/](https://shattered.io/)\n",
"text": "Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1",
"id": "ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1",
"name": "ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This gets data from session using user inputs. A malicious user may be able to retrieve information from your session that you didn\u0027t intend them to. Do not use user input as a session key."
},
"help": {
"markdown": "## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation)\n - [https://brakemanscanner.org/docs/warning_types/session_manipulation/](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n",
"text": "## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation",
"id": "ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation",
"name": "ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-276: Incorrect Default Permissions",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Allowing an attacker to manipulate the session may lead to unintended behavior."
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to."
},
"help": {
"markdown": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown)\n",
"text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access",
"id": "ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access",
"name": "ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to."
},
"help": {
"markdown": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown)\n",
"text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call",
"id": "ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call",
"name": "ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to."
},
"help": {
"markdown": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown)\n",
"text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request",
"id": "ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request",
"name": "ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to."
},
"help": {
"markdown": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown)\n",
"text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call",
"id": "ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call",
"name": "ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off."
},
"help": {
"markdown": "Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions",
"id": "ruby.rails.security.audit.detailed-exceptions.detailed-exceptions",
"name": "ruby.rails.security.audit.detailed-exceptions.detailed-exceptions",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.detailed-exceptions.detailed-exceptions"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This call turns off CSRF protection allowing CSRF attacks against the application"
},
"help": {
"markdown": "This call turns off CSRF protection allowing CSRF attacks against the application\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection)\n - [https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#method-i-skip_forgery_protection](https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#method-i-skip_forgery_protection)\n",
"text": "This call turns off CSRF protection allowing CSRF attacks against the application\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection",
"id": "ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection",
"name": "ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params(\u0027SELECT $1 AS a, $2 AS b, $3 AS c\u0027, [1, 2, nil])` And you can use prepared statements with `exec_prepared`."
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params(\u0027SELECT $1 AS a, $2 AS b, $3 AS c\u0027, [1, 2, nil])` And you can use prepared statements with `exec_prepared`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli)\n - [https://www.rubydoc.info/gems/pg/PG/Connection](https://www.rubydoc.info/gems/pg/PG/Connection)\n",
"text": "Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params(\u0027SELECT $1 AS a, $2 AS b, $3 AS c\u0027, [1, 2, nil])` And you can use prepared statements with `exec_prepared`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli",
"id": "ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli",
"name": "ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027content_tag()\u0027 bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use \u0027html_safe\u0027. Ensure no external data enters the HTML-safe string!"
},
"help": {
"markdown": "\u0027content_tag()\u0027 bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use \u0027html_safe\u0027. Ensure no external data enters the HTML-safe string!\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n",
"text": "\u0027content_tag()\u0027 bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use \u0027html_safe\u0027. Ensure no external data enters the HTML-safe string!\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag",
"id": "ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag",
"name": "ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn\u0027t mean to. Instead, remove this line and explicitly include all routes you intend external users to follow."
},
"help": {
"markdown": "Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn\u0027t mean to. Instead, remove this line and explicitly include all routes you intend external users to follow.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown)\n",
"text": "Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn\u0027t mean to. Instead, remove this line and explicitly include all routes you intend external users to follow.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes",
"id": "ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes",
"name": "ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes",
"properties": {
"precision": "very-high",
"tags": [
"CWE-276: Incorrect Default Permissions",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027html_safe()\u0027 does not make the supplied string safe. \u0027html_safe()\u0027 bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here."
},
"help": {
"markdown": "\u0027html_safe()\u0027 does not make the supplied string safe. \u0027html_safe()\u0027 bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n",
"text": "\u0027html_safe()\u0027 does not make the supplied string safe. \u0027html_safe()\u0027 bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe",
"id": "ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe",
"name": "ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument."
},
"help": {
"markdown": "This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to)\n - [https://brakemanscanner.org/docs/warning_types/link_to/](https://brakemanscanner.org/docs/warning_types/link_to/)\n - [https://brakemanscanner.org/docs/warning_types/link_to_href/](https://brakemanscanner.org/docs/warning_types/link_to_href/)\n",
"text": "This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to",
"id": "ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to",
"name": "ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027raw()\u0027 bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. If you must do this, construct individual strings and mark them as safe for HTML rendering with `html_safe()`."
},
"help": {
"markdown": "\u0027raw()\u0027 bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. If you must do this, construct individual strings and mark them as safe for HTML rendering with `html_safe()`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-raw.avoid-raw)\n - [https://api.rubyonrails.org/classes/ActionView/Helpers/OutputSafetyHelper.html#method-i-raw](https://api.rubyonrails.org/classes/ActionView/Helpers/OutputSafetyHelper.html#method-i-raw)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n",
"text": "\u0027raw()\u0027 bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. If you must do this, construct individual strings and mark them as safe for HTML rendering with `html_safe()`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-raw.avoid-raw",
"id": "ruby.rails.security.audit.xss.avoid-raw.avoid-raw",
"name": "ruby.rails.security.audit.xss.avoid-raw.avoid-raw",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-raw.avoid-raw"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "When a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect."
},
"help": {
"markdown": "When a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect)\n - [https://brakemanscanner.org/docs/warning_types/redirect/](https://brakemanscanner.org/docs/warning_types/redirect/)\n",
"text": "When a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect",
"id": "ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect",
"name": "ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn\u0027t. To prevent this, check dynamic template paths against a predefined allowlist to make sure it\u0027s an allowed template."
},
"help": {
"markdown": "Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn\u0027t. To prevent this, check dynamic template paths against a predefined allowlist to make sure it\u0027s an allowed template.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path)\n - [https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/](https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/)\n",
"text": "Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn\u0027t. To prevent this, check dynamic template paths against a predefined allowlist to make sure it\u0027s an allowed template.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path",
"id": "ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path",
"name": "ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027render inline: ...\u0027 renders an entire ERB template inline and is dangerous. If external data can reach here, this exposes your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks. Instead, consider using a partial or another safe rendering method."
},
"help": {
"markdown": "\u0027render inline: ...\u0027 renders an entire ERB template inline and is dangerous. If external data can reach here, this exposes your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks. Instead, consider using a partial or another safe rendering method.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline)\n - [https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss](https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss)\n",
"text": "\u0027render inline: ...\u0027 renders an entire ERB template inline and is dangerous. If external data can reach here, this exposes your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks. Instead, consider using a partial or another safe rendering method.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline",
"id": "ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline",
"name": "ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027render text: ...\u0027 actually sets the content-type to \u0027text/html\u0027. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use \u0027render plain: ...\u0027 to render non-HTML text."
},
"help": {
"markdown": "\u0027render text: ...\u0027 actually sets the content-type to \u0027text/html\u0027. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use \u0027render plain: ...\u0027 to render non-HTML text.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text)\n - [https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss](https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss)\n",
"text": "\u0027render text: ...\u0027 actually sets the content-type to \u0027text/html\u0027. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use \u0027render plain: ...\u0027 to render non-HTML text.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text",
"id": "ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text",
"name": "ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template. Instead, create a \u0027.erb\u0027 template file and use \u0027render\u0027."
},
"help": {
"markdown": "Detected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template. Instead, create a \u0027.erb\u0027 template file and use \u0027render\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown)\n",
"text": "Detected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template. Instead, create a \u0027.erb\u0027 template file and use \u0027render\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation",
"id": "ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation",
"name": "ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The syntax `\u003c%== ... %\u003e` is an alias for `html_safe`. This means the content inside these tags will be rendered as raw HTML. This may expose your application to cross-site scripting. If you need raw HTML, prefer using the more explicit `html_safe` and be sure to correctly sanitize variables using a library such as DOMPurify."
},
"help": {
"markdown": "The syntax `\u003c%== ... %\u003e` is an alias for `html_safe`. This means the content inside these tags will be rendered as raw HTML. This may expose your application to cross-site scripting. If you need raw HTML, prefer using the more explicit `html_safe` and be sure to correctly sanitize variables using a library such as DOMPurify.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe)\n - [https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027](https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027)\n - [https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===](https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===)\n",
"text": "The syntax `\u003c%== ... %\u003e` is an alias for `html_safe`. This means the content inside these tags will be rendered as raw HTML. This may expose your application to cross-site scripting. If you need raw HTML, prefer using the more explicit `html_safe` and be sure to correctly sanitize variables using a library such as DOMPurify.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe",
"id": "ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe",
"name": "ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027content_tag\u0027 exhibits unintuitive escaping behavior and may accidentally expose your application to cross-site scripting. If using Rails 2, only attribute values are escaped. If using Rails 3, content and attribute values are escaped. Tag and attribute names are never escaped. Because of this, it is recommended to use \u0027html_safe\u0027 if you must render raw HTML data."
},
"help": {
"markdown": "\u0027content_tag\u0027 exhibits unintuitive escaping behavior and may accidentally expose your application to cross-site scripting. If using Rails 2, only attribute values are escaped. If using Rails 3, content and attribute values are escaped. Tag and attribute names are never escaped. Because of this, it is recommended to use \u0027html_safe\u0027 if you must render raw HTML data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag)\n - [https://brakemanscanner.org/docs/warning_types/content_tag/](https://brakemanscanner.org/docs/warning_types/content_tag/)\n",
"text": "\u0027content_tag\u0027 exhibits unintuitive escaping behavior and may accidentally expose your application to cross-site scripting. If using Rails 2, only attribute values are escaped. If using Rails 3, content and attribute values are escaped. Tag and attribute names are never escaped. Because of this, it is recommended to use \u0027html_safe\u0027 if you must render raw HTML data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag",
"id": "ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag",
"name": "ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027html_safe\u0027 renders raw HTML. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify."
},
"help": {
"markdown": "\u0027html_safe\u0027 renders raw HTML. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe)\n - [https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===](https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===)\n - [https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027](https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027)\n",
"text": "\u0027html_safe\u0027 renders raw HTML. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe",
"id": "ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe",
"name": "ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027raw\u0027 renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify."
},
"help": {
"markdown": "\u0027raw\u0027 renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw)\n - [https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===](https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===)\n - [https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027](https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027)\n",
"text": "\u0027raw\u0027 renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw",
"id": "ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw",
"name": "ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"\u003c%= expr %\u003e\"."
},
"help": {
"markdown": "Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"\u003c%= expr %\u003e\".\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute)\n - [https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#unquoted-attributes](https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#unquoted-attributes)\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss)\n",
"text": "Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"\u003c%= expr %\u003e\".\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute",
"id": "ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute",
"name": "ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href=\u0027/\u003c%= link =\u003e\u0027. You may also consider setting the Content Security Policy (CSP) header."
},
"help": {
"markdown": "Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href=\u0027/\u003c%= link =\u003e\u0027. You may also consider setting the Content Security Policy (CSP) header.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href)\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI)\n - [https://github.com/pugjs/pug/issues/2952](https://github.com/pugjs/pug/issues/2952)\n",
"text": "Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href=\u0027/\u003c%= link =\u003e\u0027. You may also consider setting the Content Security Policy (CSP) header.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href",
"id": "ruby.rails.security.audit.xss.templates.var-in-href.var-in-href",
"name": "ruby.rails.security.audit.xss.templates.var-in-href.var-in-href",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-href.var-in-href"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag)."
},
"help": {
"markdown": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n - [https://www.youtube.com/watch?v=yYTkLUEdIyE](https://www.youtube.com/watch?v=yYTkLUEdIyE)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n",
"text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag",
"id": "ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag",
"name": "ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path =\u003e true` hash value."
},
"help": {
"markdown": "Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path =\u003e true` hash value.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n",
"text": "Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path =\u003e true` hash value.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to",
"id": "ruby.rails.security.brakeman.check-redirect-to.check-redirect-to",
"name": "ruby.rails.security.brakeman.check-redirect-to.check-redirect-to",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.brakeman.check-redirect-to.check-redirect-to"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking."
},
"help": {
"markdown": "Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n",
"text": "Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos",
"id": "ruby.rails.security.brakeman.check-regex-dos.check-regex-dos",
"name": "ruby.rails.security.brakeman.check-regex-dos.check-regex-dos",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1333: Inefficient Regular Expression Complexity",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.brakeman.check-regex-dos.check-regex-dos"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found request parameters in a call to `render`. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for `render`. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with `File.basename(...)`."
},
"help": {
"markdown": "Found request parameters in a call to `render`. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for `render`. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with `File.basename(...)`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include)\n - [https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion)\n - [https://github.com/presidentbeef/brakeman/blob/f74cb53/test/apps/rails2/app/controllers/home_controller.rb#L48-L60](https://github.com/presidentbeef/brakeman/blob/f74cb53/test/apps/rails2/app/controllers/home_controller.rb#L48-L60)\n",
"text": "Found request parameters in a call to `render`. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for `render`. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with `File.basename(...)`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include",
"id": "ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include",
"name": "ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`"
},
"help": {
"markdown": "Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n",
"text": "Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file",
"id": "ruby.rails.security.brakeman.check-send-file.check-send-file",
"name": "ruby.rails.security.brakeman.check-send-file.check-send-file",
"properties": {
"precision": "very-high",
"tags": [
"CWE-73: External Control of File Name or Path",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.brakeman.check-send-file.check-send-file"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries."
},
"help": {
"markdown": "Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-sql.check-sql)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/models/product.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/models/product.rb)\n",
"text": "Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-sql.check-sql",
"id": "ruby.rails.security.brakeman.check-sql.check-sql",
"name": "ruby.rails.security.brakeman.check-sql.check-sql",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.brakeman.check-sql.check-sql"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`"
},
"help": {
"markdown": "Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb)\n",
"text": "Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods",
"id": "ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods",
"name": "ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input."
},
"help": {
"markdown": "Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails2/app/controllers/application_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails2/app/controllers/application_controller.rb)\n",
"text": "Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection",
"id": "ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection",
"name": "ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found an unscoped `find(...)` with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. `current_user.accounts.find(params[:id])`."
},
"help": {
"markdown": "Found an unscoped `find(...)` with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. `current_user.accounts.find(params[:id])`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find)\n - [https://brakemanscanner.org/docs/warning_types/unscoped_find/](https://brakemanscanner.org/docs/warning_types/unscoped_find/)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/controllers/users_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/controllers/users_controller.rb)\n",
"text": "Found an unscoped `find(...)` with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. `current_user.accounts.find(params[:id])`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find",
"id": "ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find",
"name": "ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find",
"properties": {
"precision": "very-high",
"tags": [
"CWE-639: Authorization Bypass Through User-Controlled Key",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`."
},
"help": {
"markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.injection.raw-html-format.raw-html-format)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n - [https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html](https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html)\n",
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.injection.raw-html-format.raw-html-format",
"id": "ruby.rails.security.injection.raw-html-format.raw-html-format",
"name": "ruby.rails.security.injection.raw-html-format.raw-html-format",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.injection.raw-html-format.raw-html-format"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries."
},
"help": {
"markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet](https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet)\n",
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.injection.tainted-sql-string.tainted-sql-string",
"id": "ruby.rails.security.injection.tainted-sql-string.tainted-sql-string",
"name": "ruby.rails.security.injection.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.injection.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts."
},
"help": {
"markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://github.com/arkadiyt/ssrf_filter](https://github.com/arkadiyt/ssrf_filter)\n",
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.injection.tainted-url-host.tainted-url-host",
"id": "ruby.rails.security.injection.tainted-url-host.tainted-url-host",
"name": "ruby.rails.security.injection.tainted-url-host.tainted-url-host",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.injection.tainted-url-host.tainted-url-host"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Dangerously accepting invalid TLS information"
},
"help": {
"markdown": "Dangerously accepting invalid TLS information\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid)\n - [https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames](https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames)\n - [https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs](https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs)\n",
"text": "Dangerously accepting invalid TLS information\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid",
"id": "rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid",
"name": "rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Dangerous client config used, ensure SSL verification"
},
"help": {
"markdown": "Dangerous client config used, ensure SSL verification\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous)\n - [https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html](https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html)\n - [https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous](https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous)\n",
"text": "Dangerous client config used, ensure SSL verification\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous",
"id": "rust.lang.security.rustls-dangerous.rustls-dangerous",
"name": "rust.lang.security.rustls-dangerous.rustls-dangerous",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: rust.lang.security.rustls-dangerous.rustls-dangerous"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "SSL verification disabled, this allows for MitM attacks"
},
"help": {
"markdown": "SSL verification disabled, this allows for MitM attacks\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none)\n - [https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify](https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify)\n",
"text": "SSL verification disabled, this allows for MitM attacks\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none",
"id": "rust.lang.security.ssl-verify-none.ssl-verify-none",
"name": "rust.lang.security.ssl-verify-none.ssl-verify-none",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: rust.lang.security.ssl-verify-none.ssl-verify-none"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"
},
"help": {
"markdown": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode)\n - [https://jwt-scala.github.io/jwt-scala/](https://jwt-scala.github.io/jwt-scala/)\n",
"text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode",
"id": "scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode",
"name": "scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"HIGH CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized."
},
"help": {
"markdown": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run",
"id": "scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run",
"name": "scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized."
},
"help": {
"markdown": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run",
"id": "scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run",
"name": "scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."
},
"help": {
"markdown": "A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://dispatchhttp.org/Dispatch.html](https://dispatchhttp.org/Dispatch.html)\n",
"text": "A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf",
"id": "scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf",
"name": "scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."
},
"help": {
"markdown": "Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
"text": "Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled",
"id": "scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled",
"name": "scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Flags the use of a predictable random value from `scala.util.Random`. This can lead to vulnerabilities when used in security contexts, such as in a CSRF token, password reset token, or any other secret value. To fix this, use java.security.SecureRandom instead."
},
"help": {
"markdown": "Flags the use of a predictable random value from `scala.util.Random`. This can lead to vulnerabilities when used in security contexts, such as in a CSRF token, password reset token, or any other secret value. To fix this, use java.security.SecureRandom instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.insecure-random.insecure-random)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Flags the use of a predictable random value from `scala.util.Random`. This can lead to vulnerabilities when used in security contexts, such as in a CSRF token, password reset token, or any other secret value. To fix this, use java.security.SecureRandom instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.insecure-random.insecure-random",
"id": "scala.lang.security.audit.insecure-random.insecure-random",
"name": "scala.lang.security.audit.insecure-random.insecure-random",
"properties": {
"precision": "very-high",
"tags": [
"CWE-330: Use of Insufficiently Random Values",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.insecure-random.insecure-random"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A parameter being passed directly into `fromURL` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."
},
"help": {
"markdown": "A parameter being passed directly into `fromURL` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.io-source-ssrf.io-source-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://www.scala-lang.org/api/current/scala/io/Source$.html#fromURL(url:java.net.URL)(implicitcodec:scala.io.Codec):scala.io.BufferedSource](https://www.scala-lang.org/api/current/scala/io/Source$.html#fromURL(url:java.net.URL)(implicitcodec:scala.io.Codec):scala.io.BufferedSource)\n",
"text": "A parameter being passed directly into `fromURL` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.io-source-ssrf.io-source-ssrf",
"id": "scala.lang.security.audit.io-source-ssrf.io-source-ssrf",
"name": "scala.lang.security.audit.io-source-ssrf.io-source-ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.io-source-ssrf.io-source-ssrf"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Flags cases of possible path traversal. If an unfiltered parameter is passed into \u0027fromFile\u0027, file from an arbitrary filesystem location could be read. This could lead to sensitive data exposure and other provles. Instead, sanitize the user input instead of performing direct string concatenation."
},
"help": {
"markdown": "Flags cases of possible path traversal. If an unfiltered parameter is passed into \u0027fromFile\u0027, file from an arbitrary filesystem location could be read. This could lead to sensitive data exposure and other provles. Instead, sanitize the user input instead of performing direct string concatenation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Flags cases of possible path traversal. If an unfiltered parameter is passed into \u0027fromFile\u0027, file from an arbitrary filesystem location could be read. This could lead to sensitive data exposure and other provles. Instead, sanitize the user input instead of performing direct string concatenation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile",
"id": "scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile",
"name": "scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with `OAEPWithMD5AndMGF1Padding` instead."
},
"help": {
"markdown": "Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with `OAEPWithMD5AndMGF1Padding` instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.rsa-padding-set.rsa-padding-set)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with `OAEPWithMD5AndMGF1Padding` instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.rsa-padding-set.rsa-padding-set",
"id": "scala.lang.security.audit.rsa-padding-set.rsa-padding-set",
"name": "scala.lang.security.audit.rsa-padding-set.rsa-padding-set",
"properties": {
"precision": "very-high",
"tags": [
"CWE-780: Use of RSA Algorithm without OAEP",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.rsa-padding-set.rsa-padding-set"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "XML processor being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."
},
"help": {
"markdown": "XML processor being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
"text": "XML processor being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled",
"id": "scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled",
"name": "scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use `Seq(...)` for dynamically generated commands."
},
"help": {
"markdown": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use `Seq(...)` for dynamically generated commands.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use `Seq(...)` for dynamically generated commands.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run",
"id": "scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run",
"name": "scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Scala applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration."
},
"help": {
"markdown": "Scala applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.scalac-debug.scalac-debug)\n - [https://docs.scala-lang.org/overviews/compiler-options/index.html](https://docs.scala-lang.org/overviews/compiler-options/index.html)\n",
"text": "Scala applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.scalac-debug.scalac-debug",
"id": "scala.lang.security.audit.scalac-debug.scalac-debug",
"name": "scala.lang.security.audit.scalac-debug.scalac-debug",
"properties": {
"precision": "very-high",
"tags": [
"CWE-489: Active Debug Code",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.scalac-debug.scalac-debug"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A parameter being passed directly into `Http` can likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."
},
"help": {
"markdown": "A parameter being passed directly into `Http` can likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://github.com/scalaj/scalaj-http#simplified-http](https://github.com/scalaj/scalaj-http#simplified-http)\n",
"text": "A parameter being passed directly into `Http` can likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf",
"id": "scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf",
"name": "scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."
},
"help": {
"markdown": "XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
"text": "XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled",
"id": "scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled",
"name": "scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file."
},
"help": {
"markdown": "Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security)\n - [https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration](https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration)\n",
"text": "Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings",
"id": "scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings",
"name": "scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings",
"properties": {
"precision": "very-high",
"tags": [
"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as Twirl which automatically escapes HTML views."
},
"help": {
"markdown": "Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as Twirl which automatically escapes HTML views.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.tainted-html-response.tainted-html-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as Twirl which automatically escapes HTML views.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.play.security.tainted-html-response.tainted-html-response",
"id": "scala.play.security.tainted-html-response.tainted-html-response",
"name": "scala.play.security.tainted-html-response.tainted-html-response",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.play.security.tainted-html-response.tainted-html-response"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input for generating SQL strings."
},
"help": {
"markdown": "Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input for generating SQL strings.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.tainted-slick-sqli.tainted-slick-sqli)\n - [https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values](https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values)\n - [https://scala-slick.org/doc/3.2.0/sql-to-slick.html#non-optimal-sql-code](https://scala-slick.org/doc/3.2.0/sql-to-slick.html#non-optimal-sql-code)\n",
"text": "Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input for generating SQL strings.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.play.security.tainted-slick-sqli.tainted-slick-sqli",
"id": "scala.play.security.tainted-slick-sqli.tainted-slick-sqli",
"name": "scala.play.security.tainted-slick-sqli.tainted-slick-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.play.security.tainted-slick-sqli.tainted-slick-sqli"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library."
},
"help": {
"markdown": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request)\n - [https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html](https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html)\n",
"text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request",
"id": "scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request",
"name": "scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host."
},
"help": {
"markdown": "A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.webservice-ssrf.webservice-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://www.playframework.com/documentation/2.8.x/ScalaWS](https://www.playframework.com/documentation/2.8.x/ScalaWS)\n",
"text": "A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.play.security.webservice-ssrf.webservice-ssrf",
"id": "scala.play.security.webservice-ssrf.webservice-ssrf",
"name": "scala.play.security.webservice-ssrf.webservice-ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.play.security.webservice-ssrf.webservice-ssrf"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"
},
"help": {
"markdown": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret",
"id": "scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret",
"name": "scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"HIGH CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using non literal values in `overrideSql(...)`."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using non literal values in `overrideSql(...)`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using non literal values in `overrideSql(...)`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal",
"id": "scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal",
"name": "scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal)\n - [https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values](https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal",
"id": "scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal",
"name": "scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "$VAULT.getPoolTokens() call on a Balancer pool is not protected from the read-only reentrancy."
},
"help": {
"markdown": "$VAULT.getPoolTokens() call on a Balancer pool is not protected from the read-only reentrancy.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens)\n - [https://quillaudits.medium.com/decoding-sentiment-protocols-1-million-exploit-quillaudits-f36bee77d376](https://quillaudits.medium.com/decoding-sentiment-protocols-1-million-exploit-quillaudits-f36bee77d376)\n - [https://hackmd.io/@sentimentxyz/SJCySo1z2](https://hackmd.io/@sentimentxyz/SJCySo1z2)\n",
"text": "$VAULT.getPoolTokens() call on a Balancer pool is not protected from the read-only reentrancy.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens",
"id": "solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens",
"name": "solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens",
"properties": {
"precision": "very-high",
"tags": [
"CWE-841: Improper Enforcement of Behavioral Workflow",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy."
},
"help": {
"markdown": "$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate)\n - [https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345](https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345)\n",
"text": "$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate",
"id": "solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate",
"name": "solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate",
"properties": {
"precision": "very-high",
"tags": [
"CWE-841: Improper Enforcement of Behavioral Workflow",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Function borrowFresh() in Compound performs state update after doTransferOut()"
},
"help": {
"markdown": "Function borrowFresh() in Compound performs state update after doTransferOut()\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy)\n - [https://twitter.com/peckshield/status/1509431646818234369](https://twitter.com/peckshield/status/1509431646818234369)\n - [https://twitter.com/blocksecteam/status/1509466576848064512](https://twitter.com/blocksecteam/status/1509466576848064512)\n - [https://slowmist.medium.com/another-day-another-reentrancy-attack-5cde10bbb2b4](https://slowmist.medium.com/another-day-another-reentrancy-attack-5cde10bbb2b4)\n - [https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611](https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611)\n",
"text": "Function borrowFresh() in Compound performs state update after doTransferOut()\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy",
"id": "solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy",
"name": "solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-841: Improper Enforcement of Behavioral Workflow",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Function sweepToken is allowed to be called by anyone"
},
"help": {
"markdown": "Function sweepToken is allowed to be called by anyone\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted)\n - [https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2](https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2)\n - [https://chainsecurity.com/security-audit/compound-ctoken/](https://chainsecurity.com/security-audit/compound-ctoken/)\n - [https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/](https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/)\n - [https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f](https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f)\n",
"text": "Function sweepToken is allowed to be called by anyone\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted",
"id": "solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted",
"name": "solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-284: Improper Access Control",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy."
},
"help": {
"markdown": "$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy)\n - [https://chainsecurity.com/heartbreaks-curve-lp-oracles/](https://chainsecurity.com/heartbreaks-curve-lp-oracles/)\n - [https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/](https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/)\n",
"text": "$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy",
"id": "solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy",
"name": "solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-841: Improper Enforcement of Behavioral Workflow",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "abi.encodePacked hash collision with variable length arguments in $F()"
},
"help": {
"markdown": "abi.encodePacked hash collision with variable length arguments in $F()\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision)\n - [https://swcregistry.io/docs/SWC-133](https://swcregistry.io/docs/SWC-133)\n",
"text": "abi.encodePacked hash collision with variable length arguments in $F()\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision",
"id": "solidity.security.encode-packed-collision.encode-packed-collision",
"name": "solidity.security.encode-packed-collision.encode-packed-collision",
"properties": {
"precision": "very-high",
"tags": [
"CWE-20: Improper Input Validation",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.encode-packed-collision.encode-packed-collision"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "ERC677 callAfterTransfer() reentrancy"
},
"help": {
"markdown": "ERC677 callAfterTransfer() reentrancy\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc677-reentrancy.erc677-reentrancy)\n - [https://twitter.com/peckshield/status/1509431646818234369](https://twitter.com/peckshield/status/1509431646818234369)\n - [https://twitter.com/blocksecteam/status/1509466576848064512](https://twitter.com/blocksecteam/status/1509466576848064512)\n - [https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611](https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611)\n - [https://explorer.fuse.io/address/0x5De15b5543c178C111915d6B8ae929Af01a8cC58](https://explorer.fuse.io/address/0x5De15b5543c178C111915d6B8ae929Af01a8cC58)\n",
"text": "ERC677 callAfterTransfer() reentrancy\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.erc677-reentrancy.erc677-reentrancy",
"id": "solidity.security.erc677-reentrancy.erc677-reentrancy",
"name": "solidity.security.erc677-reentrancy.erc677-reentrancy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-841: Improper Enforcement of Behavioral Workflow",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.erc677-reentrancy.erc677-reentrancy"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Custom ERC721 implementation lacks access control checks in _transfer()"
},
"help": {
"markdown": "Custom ERC721 implementation lacks access control checks in _transfer()\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom)\n - [https://twitter.com/BlockSecAlert/status/1516289618605654024](https://twitter.com/BlockSecAlert/status/1516289618605654024)\n - [https://etherscan.io/address/0xf3821adaceb6500c0a202971aecf840a033f236b](https://etherscan.io/address/0xf3821adaceb6500c0a202971aecf840a033f236b)\n",
"text": "Custom ERC721 implementation lacks access control checks in _transfer()\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom",
"id": "solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom",
"name": "solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom",
"properties": {
"precision": "very-high",
"tags": [
"CWE-284: Improper Access Control",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "ERC721 onERC721Received() reentrancy"
},
"help": {
"markdown": "ERC721 onERC721Received() reentrancy\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy)\n - [https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a](https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a)\n - [https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef](https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef)\n",
"text": "ERC721 onERC721Received() reentrancy\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy",
"id": "solidity.security.erc721-reentrancy.erc721-reentrancy",
"name": "solidity.security.erc721-reentrancy.erc721-reentrancy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-841: Improper Enforcement of Behavioral Workflow",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.erc721-reentrancy.erc721-reentrancy"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "ERC777 tokensReceived() reentrancy"
},
"help": {
"markdown": "ERC777 tokensReceived() reentrancy\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy)\n - [https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0](https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0)\n - [https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f](https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f)\n",
"text": "ERC777 tokensReceived() reentrancy\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy",
"id": "solidity.security.erc777-reentrancy.erc777-reentrancy",
"name": "solidity.security.erc777-reentrancy.erc777-reentrancy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-841: Improper Enforcement of Behavioral Workflow",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.erc777-reentrancy.erc777-reentrancy"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "blockhash(block.number) and blockhash(block.number + N) always returns 0."
},
"help": {
"markdown": "blockhash(block.number) and blockhash(block.number + N) always returns 0.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash)\n - [https://blog.positive.com/predicting-random-numbers-in-ethereum-smart-contracts-e5358c6b8620](https://blog.positive.com/predicting-random-numbers-in-ethereum-smart-contracts-e5358c6b8620)\n",
"text": "blockhash(block.number) and blockhash(block.number + N) always returns 0.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash",
"id": "solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash",
"name": "solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash",
"properties": {
"precision": "very-high",
"tags": [
"CWE-341: Predictable from Observable State",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Keep3rV2.current() call has high data freshness, but it has low security, an exploiter simply needs to manipulate 2 data points to be able to impact the feed."
},
"help": {
"markdown": "Keep3rV2.current() call has high data freshness, but it has low security, an exploiter simply needs to manipulate 2 data points to be able to impact the feed.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation)\n - [https://twitter.com/peckshield/status/1510232640338608131](https://twitter.com/peckshield/status/1510232640338608131)\n - [https://twitter.com/FrankResearcher/status/1510239094777032713](https://twitter.com/FrankResearcher/status/1510239094777032713)\n - [https://twitter.com/larry0x/status/1510263618180464644](https://twitter.com/larry0x/status/1510263618180464644)\n - [https://andrecronje.medium.com/keep3r-network-on-chain-oracle-price-feeds-3c67ed002a9](https://andrecronje.medium.com/keep3r-network-on-chain-oracle-price-feeds-3c67ed002a9)\n - [https://etherscan.io/address/0x210ac53b27f16e20a9aa7d16260f84693390258f](https://etherscan.io/address/0x210ac53b27f16e20a9aa7d16260f84693390258f)\n",
"text": "Keep3rV2.current() call has high data freshness, but it has low security, an exploiter simply needs to manipulate 2 data points to be able to impact the feed.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation",
"id": "solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation",
"name": "solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-682: Incorrect Calculation",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Missing check for \u0027from\u0027 and \u0027to\u0027 being the same before updating balances could lead to incorrect balance manipulation on self-transfers. Include a check to ensure \u0027from\u0027 and \u0027to\u0027 are not the same before updating balances to prevent balance manipulation during self-transfers."
},
"help": {
"markdown": "Missing check for \u0027from\u0027 and \u0027to\u0027 being the same before updating balances could lead to incorrect balance manipulation on self-transfers. Include a check to ensure \u0027from\u0027 and \u0027to\u0027 are not the same before updating balances to prevent balance manipulation during self-transfers.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx)\n - [https://blog.verichains.io/p/miner-project-attacked-by-vulnerabilities](https://blog.verichains.io/p/miner-project-attacked-by-vulnerabilities)\n - [https://x.com/shoucccc/status/1757777764646859121](https://x.com/shoucccc/status/1757777764646859121)\n",
"text": "Missing check for \u0027from\u0027 and \u0027to\u0027 being the same before updating balances could lead to incorrect balance manipulation on self-transfers. Include a check to ensure \u0027from\u0027 and \u0027to\u0027 are not the same before updating balances to prevent balance manipulation during self-transfers.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx",
"id": "solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx",
"name": "solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx",
"properties": {
"precision": "very-high",
"tags": [
"CWE-682: Incorrect Calculation",
"HIGH CONFIDENCE",
"OWASP-A7:2021 Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The code must not contain any of Unicode Direction Control Characters"
},
"help": {
"markdown": "The code must not contain any of Unicode Direction Control Characters\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters)\n - [https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo](https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo)\n",
"text": "The code must not contain any of Unicode Direction Control Characters\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters",
"id": "solidity.security.no-bidi-characters.no-bidi-characters",
"name": "solidity.security.no-bidi-characters.no-bidi-characters",
"properties": {
"precision": "very-high",
"tags": [
"CWE-837: Improper Enforcement of a Single, Unique Action",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.no-bidi-characters.no-bidi-characters"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "No slippage check in a Uniswap v2/v3 trade"
},
"help": {
"markdown": "No slippage check in a Uniswap v2/v3 trade\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.no-slippage-check.no-slippage-check)\n - [https://uniswapv3book.com/docs/milestone_3/slippage-protection/](https://uniswapv3book.com/docs/milestone_3/slippage-protection/)\n",
"text": "No slippage check in a Uniswap v2/v3 trade\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.no-slippage-check.no-slippage-check",
"id": "solidity.security.no-slippage-check.no-slippage-check",
"name": "solidity.security.no-slippage-check.no-slippage-check",
"properties": {
"precision": "very-high",
"tags": [
"CWE-682: Incorrect Calculation",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.no-slippage-check.no-slippage-check"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Proxy declares a state var that may override a storage slot of the implementation"
},
"help": {
"markdown": "Proxy declares a state var that may override a storage slot of the implementation\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.proxy-storage-collision.proxy-storage-collision)\n - [https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22](https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22)\n",
"text": "Proxy declares a state var that may override a storage slot of the implementation\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.proxy-storage-collision.proxy-storage-collision",
"id": "solidity.security.proxy-storage-collision.proxy-storage-collision",
"name": "solidity.security.proxy-storage-collision.proxy-storage-collision",
"properties": {
"precision": "very-high",
"tags": [
"CWE-787: Out-of-bounds Write",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.proxy-storage-collision.proxy-storage-collision"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "transferFrom() can steal allowance of other accounts"
},
"help": {
"markdown": "transferFrom() can steal allowance of other accounts\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug)\n - [https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5](https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5)\n - [https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C](https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C)\n",
"text": "transferFrom() can steal allowance of other accounts\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug",
"id": "solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug",
"name": "solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug",
"properties": {
"precision": "very-high",
"tags": [
"CWE-688: Function Call With Incorrect Variable or Reference as Argument",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "setMultipleAllowances() is missing onlyOwner modifier"
},
"help": {
"markdown": "setMultipleAllowances() is missing onlyOwner modifier\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control)\n - [https://twitter.com/danielvf/status/1494317265835147272](https://twitter.com/danielvf/status/1494317265835147272)\n - [https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8](https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8)\n - [https://play.secdim.com/game/dapp/challenge/rigoownsol](https://play.secdim.com/game/dapp/challenge/rigoownsol)\n",
"text": "setMultipleAllowances() is missing onlyOwner modifier\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control",
"id": "solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control",
"name": "solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control",
"properties": {
"precision": "very-high",
"tags": [
"CWE-284: Improper Access Control",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Oracle update is not restricted in $F()"
},
"help": {
"markdown": "Oracle update is not restricted in $F()\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control)\n - [https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0](https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0)\n",
"text": "Oracle update is not restricted in $F()\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control",
"id": "solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control",
"name": "solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control",
"properties": {
"precision": "very-high",
"tags": [
"CWE-284: Improper Access Control",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "A specially crafted calldata may be used to impersonate other accounts"
},
"help": {
"markdown": "A specially crafted calldata may be used to impersonate other accounts\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection)\n - [https://rekt.news/superfluid-rekt/](https://rekt.news/superfluid-rekt/)\n - [https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd](https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd)\n - [https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7](https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7)\n",
"text": "A specially crafted calldata may be used to impersonate other accounts\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection",
"id": "solidity.security.superfluid-ctx-injection.superfluid-ctx-injection",
"name": "solidity.security.superfluid-ctx-injection.superfluid-ctx-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-20: Improper Input Validation",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.superfluid-ctx-injection.superfluid-ctx-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Parameter \"from\" is checked at incorrect position in \"_allowances\" mapping"
},
"help": {
"markdown": "Parameter \"from\" is checked at incorrect position in \"_allowances\" mapping\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug)\n - [https://twitter.com/Mauricio_0218/status/1490082073096462340](https://twitter.com/Mauricio_0218/status/1490082073096462340)\n - [https://etherscan.io/address/0xe38b72d6595fd3885d1d2f770aa23e94757f91a1](https://etherscan.io/address/0xe38b72d6595fd3885d1d2f770aa23e94757f91a1)\n",
"text": "Parameter \"from\" is checked at incorrect position in \"_allowances\" mapping\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug",
"id": "solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug",
"name": "solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug",
"properties": {
"precision": "very-high",
"tags": [
"CWE-688: Function Call With Incorrect Variable or Reference as Argument",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Potentially sensitive data was observed to be stored in UserDefaults, which is not adequate protection of sensitive information. For data of a sensitive nature, applications should leverage the Keychain."
},
"help": {
"markdown": "Potentially sensitive data was observed to be stored in UserDefaults, which is not adequate protection of sensitive information. For data of a sensitive nature, applications should leverage the Keychain.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n - [https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/](https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/)\n",
"text": "Potentially sensitive data was observed to be stored in UserDefaults, which is not adequate protection of sensitive information. For data of a sensitive nature, applications should leverage the Keychain.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults",
"id": "swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults",
"name": "swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Webviews were observed that explictly allow JavaScript in an WKWebview to open windows automatically. Consider disabling this functionality if not required, following the principle of least privelege."
},
"help": {
"markdown": "Webviews were observed that explictly allow JavaScript in an WKWebview to open windows automatically. Consider disabling this functionality if not required, following the principle of least privelege.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows)\n - [https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/](https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/)\n - [https://developer.apple.com/documentation/webkit/wkpreferences/1536573-javascriptcanopenwindowsautomati](https://developer.apple.com/documentation/webkit/wkpreferences/1536573-javascriptcanopenwindowsautomati)\n",
"text": "Webviews were observed that explictly allow JavaScript in an WKWebview to open windows automatically. Consider disabling this functionality if not required, following the principle of least privelege.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows",
"id": "swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows",
"name": "swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows",
"properties": {
"precision": "very-high",
"tags": [
"CWE-272: Least Privilege Violation",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS Athena Work Group is unencrypted. The AWS KMS encryption key protects backups in the work group. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."
},
"help": {
"markdown": "The AWS Athena Work Group is unencrypted. The AWS KMS encryption key protects backups in the work group. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "The AWS Athena Work Group is unencrypted. The AWS KMS encryption key protects backups in the work group. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted",
"id": "terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted",
"name": "terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS Backup vault is unencrypted. The AWS KMS encryption key protects backups in the Backup vault. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."
},
"help": {
"markdown": "The AWS Backup vault is unencrypted. The AWS KMS encryption key protects backups in the Backup vault. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS Backup vault is unencrypted. The AWS KMS encryption key protects backups in the Backup vault. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted",
"id": "terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted",
"name": "terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `\"TLSv1.2_2018\", \"TLSv1.2_2019\" or \"TLSv1.2_2021\"`."
},
"help": {
"markdown": "Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `\"TLSv1.2_2018\", \"TLSv1.2_2019\" or \"TLSv1.2_2021\"`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `\"TLSv1.2_2018\", \"TLSv1.2_2019\" or \"TLSv1.2_2021\"`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version",
"id": "terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version",
"name": "terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk",
"id": "terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk",
"name": "terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information."
},
"help": {
"markdown": "The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention",
"id": "terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention",
"name": "terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "By default, AWS CloudWatch Log Group is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your log group in CloudWatch. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so."
},
"help": {
"markdown": "By default, AWS CloudWatch Log Group is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your log group in CloudWatch. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n",
"text": "By default, AWS CloudWatch Log Group is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your log group in CloudWatch. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted",
"id": "terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted",
"name": "terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS CodeBuild Project Artifacts are unencrypted. The AWS KMS encryption key protects artifacts in the CodeBuild Projects. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."
},
"help": {
"markdown": "The AWS CodeBuild Project Artifacts are unencrypted. The AWS KMS encryption key protects artifacts in the CodeBuild Projects. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS CodeBuild Project Artifacts are unencrypted. The AWS KMS encryption key protects artifacts in the CodeBuild Projects. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted",
"id": "terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted",
"name": "terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."
},
"help": {
"markdown": "The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted",
"id": "terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted",
"name": "terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source."
},
"help": {
"markdown": "The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n",
"text": "The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions",
"id": "terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions",
"name": "terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions",
"properties": {
"precision": "very-high",
"tags": [
"CWE-778: Insufficient Logging",
"HIGH CONFIDENCE",
"OWASP-A09:2021 - Security Logging and Monitoring Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Database instance has no logging. Missing logs can cause missing important event information."
},
"help": {
"markdown": "Database instance has no logging. Missing logs can cause missing important event information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Database instance has no logging. Missing logs can cause missing important event information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging",
"id": "terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging",
"name": "terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk",
"id": "terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk",
"name": "terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch."
},
"help": {
"markdown": "Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n",
"text": "Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled",
"id": "terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled",
"name": "terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-778: Insufficient Logging",
"MEDIUM CONFIDENCE",
"OWASP-A09:2021 - Security Logging and Monitoring Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so."
},
"help": {
"markdown": "By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted",
"id": "terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted",
"name": "terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk",
"id": "terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk",
"name": "terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS."
},
"help": {
"markdown": "The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted",
"id": "terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted",
"name": "terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk",
"id": "terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk",
"name": "terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely."
},
"help": {
"markdown": "The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted)\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html)\n",
"text": "The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted",
"id": "terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted",
"name": "terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`."
},
"help": {
"markdown": "EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip",
"id": "terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip",
"name": "terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1220: Insufficient Granularity of Access Control",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2."
},
"help": {
"markdown": "The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata_options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata_options)\n - [https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service](https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service)\n",
"text": "The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled",
"id": "terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled",
"name": "terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1390: Weak Authentication",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting `image_tag_mutability` to IMMUTABLE."
},
"help": {
"markdown": "The ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting `image_tag_mutability` to IMMUTABLE.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_tag_mutability](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_tag_mutability)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/)\n",
"text": "The ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting `image_tag_mutability` to IMMUTABLE.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags",
"id": "terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags",
"name": "terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags",
"properties": {
"precision": "very-high",
"tags": [
"CWE-345: Insufficient Verification of Data Authenticity",
"MEDIUM CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege."
},
"help": {
"markdown": "Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy)\n - [https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html](https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html)\n - [https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n",
"text": "Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal",
"id": "terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal",
"name": "terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk",
"id": "terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk",
"name": "terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\"."
},
"help": {
"markdown": "Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\".\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\".\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version",
"id": "terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version",
"name": "terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure all Elasticsearch has node-to-node encryption enabled.\t"
},
"help": {
"markdown": "Ensure all Elasticsearch has node-to-node encryption enabled.\t\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure all Elasticsearch has node-to-node encryption enabled.\t\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled",
"id": "terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled",
"name": "terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "ELB has no logging. Missing logs can cause missing important event information."
},
"help": {
"markdown": "ELB has no logging. Missing logs can cause missing important event information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "ELB has no logging. Missing logs can cause missing important event information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled",
"id": "terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled",
"name": "terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk",
"id": "terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk",
"name": "terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk",
"id": "terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk",
"name": "terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk",
"id": "terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk",
"name": "terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk",
"id": "terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk",
"name": "terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure FSX Windows file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure FSX Windows file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure FSX Windows file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk",
"id": "terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk",
"name": "terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:\u003cidentity\u003e`."
},
"help": {
"markdown": "Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:\u003cidentity\u003e`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n",
"text": "Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:\u003cidentity\u003e`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal",
"id": "terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal",
"name": "terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."
},
"help": {
"markdown": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n",
"text": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin",
"id": "terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin",
"name": "terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."
},
"help": {
"markdown": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n",
"text": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy",
"id": "terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy",
"name": "terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure ImageBuilder component is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure ImageBuilder component is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure ImageBuilder component is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk",
"id": "terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk",
"name": "terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`."
},
"help": {
"markdown": "Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration",
"id": "terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration",
"name": "terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk",
"id": "terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk",
"name": "terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption."
},
"help": {
"markdown": "The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type)\n - [https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html](https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html)\n",
"text": "The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted",
"id": "terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted",
"name": "terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk",
"id": "terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk",
"name": "terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege."
},
"help": {
"markdown": "Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n",
"text": "Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal",
"id": "terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal",
"name": "terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`."
},
"help": {
"markdown": "The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation",
"id": "terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation",
"name": "terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials",
"id": "terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials",
"name": "terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so."
},
"help": {
"markdown": "By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted",
"id": "terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted",
"name": "terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The AWS Lambda permission has an AWS service principal but does not specify a source ARN. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. Set the source_arn value to the ARN of the AWS resource that invokes the function, eg. an S3 bucket, CloudWatch Events Rule, API Gateway, or SNS topic."
},
"help": {
"markdown": "The AWS Lambda permission has an AWS service principal but does not specify a source ARN. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. Set the source_arn value to the ARN of the AWS resource that invokes the function, eg. an S3 bucket, CloudWatch Events Rule, API Gateway, or SNS topic.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission)\n - [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html)\n",
"text": "The AWS Lambda permission has an AWS service principal but does not specify a source ARN. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. Set the source_arn value to the ARN of the AWS resource that invokes the function, eg. an S3 bucket, CloudWatch Events Rule, API Gateway, or SNS topic.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn",
"id": "terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn",
"name": "terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"HIGH CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts."
},
"help": {
"markdown": "The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active)\n - [https://cwe.mitre.org/data/definitions/778.html](https://cwe.mitre.org/data/definitions/778.html)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#mode](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#mode)\n - [https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html](https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html)\n",
"text": "The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active",
"id": "terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active",
"name": "terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active",
"properties": {
"precision": "very-high",
"tags": [
"CWE-778: Insufficient Logging",
"MEDIUM CONFIDENCE",
"OWASP-A09:2021 Security Logging and Monitoring Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials",
"id": "terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials",
"name": "terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design."
},
"help": {
"markdown": "Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec)\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec)\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec)\n",
"text": "Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec",
"id": "terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec",
"name": "terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`."
},
"help": {
"markdown": "The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention",
"id": "terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention",
"name": "terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk",
"id": "terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk",
"name": "terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1220: Insufficient Granularity of Access Control",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure S3 bucket object is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure S3 bucket object is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure S3 bucket object is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk",
"id": "terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk",
"name": "terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk",
"id": "terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk",
"name": "terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure AWS Sagemaker domains are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure AWS Sagemaker domains are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure AWS Sagemaker domains are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk",
"id": "terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk",
"name": "terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "By default, AWS SecretManager secrets are encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your secrets in the Secret Manager. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so."
},
"help": {
"markdown": "By default, AWS SecretManager secrets are encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your secrets in the Secret Manager. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "By default, AWS SecretManager secrets are encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your secrets in the Secret Manager. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted",
"id": "terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted",
"name": "terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Wildcard used in your SQS queue policy principal. This grants access to all users, including anonymous users (public access). Unless you explicitly require anyone on the internet to be able to read or write to your queue, limit principals, actions and resources to what you need according to least privilege."
},
"help": {
"markdown": "Wildcard used in your SQS queue policy principal. This grants access to all users, including anonymous users (public access). Unless you explicitly require anyone on the internet to be able to read or write to your queue, limit principals, actions and resources to what you need according to least privilege.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy)\n - [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html)\n",
"text": "Wildcard used in your SQS queue policy principal. This grants access to all users, including anonymous users (public access). Unless you explicitly require anyone on the internet to be able to read or write to your queue, limit principals, actions and resources to what you need according to least privilege.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal",
"id": "terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal",
"name": "terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."
},
"help": {
"markdown": "The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues",
"id": "terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues",
"name": "terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible."
},
"help": {
"markdown": "Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch)\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses)\n",
"text": "Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address",
"id": "terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address",
"name": "terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1220: Insufficient Granularity of Access Control",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure Timestream database is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure Timestream database is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure Timestream database is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk",
"id": "terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk",
"name": "terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Transfer Server endpoint type should not have public or null configured in order to block public access. To fix this, set your `endpoint_type` to `\"VPC\"`."
},
"help": {
"markdown": "Transfer Server endpoint type should not have public or null configured in order to block public access. To fix this, set your `endpoint_type` to `\"VPC\"`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Transfer Server endpoint type should not have public or null configured in order to block public access. To fix this, set your `endpoint_type` to `\"VPC\"`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public",
"id": "terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public",
"name": "terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1220: Insufficient Granularity of Access Control",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."
},
"help": {
"markdown": "The AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted",
"id": "terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted",
"name": "terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."
},
"help": {
"markdown": "The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted",
"id": "terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted",
"name": "terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `ssl_policy` to `\"ELBSecurityPolicy-TLS13-1-2-Res-2021-06\"`, or include a default action to redirect to HTTPS."
},
"help": {
"markdown": "Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `ssl_policy` to `\"ELBSecurityPolicy-TLS13-1-2-Res-2021-06\"`, or include a default action to redirect to HTTPS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version)\n - [https://www.ietf.org/rfc/rfc5246.txt](https://www.ietf.org/rfc/rfc5246.txt)\n",
"text": "Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `ssl_policy` to `\"ELBSecurityPolicy-TLS13-1-2-Res-2021-06\"`, or include a default action to redirect to HTTPS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version",
"id": "terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version",
"name": "terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS Athena Workgroup is unencrypted. Encryption protects query results in your workgroup. To enable, add: `encryption_configuration { encryption_option = \"SSE_KMS\" kms_key_arn = aws_kms_key.example.arn }` within `result_configuration { }` in your resource block, where `encryption_option` is your chosen encryption method and `kms_key_arn` is your KMS key ARN."
},
"help": {
"markdown": "The AWS Athena Workgroup is unencrypted. Encryption protects query results in your workgroup. To enable, add: `encryption_configuration { encryption_option = \"SSE_KMS\" kms_key_arn = aws_kms_key.example.arn }` within `result_configuration { }` in your resource block, where `encryption_option` is your chosen encryption method and `kms_key_arn` is your KMS key ARN.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS Athena Workgroup is unencrypted. Encryption protects query results in your workgroup. To enable, add: `encryption_configuration { encryption_option = \"SSE_KMS\" kms_key_arn = aws_kms_key.example.arn }` within `result_configuration { }` in your resource block, where `encryption_option` is your chosen encryption method and `kms_key_arn` is your KMS key ARN.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption",
"id": "terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption",
"name": "terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this."
},
"help": {
"markdown": "`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy)\n - [https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy)\n - [https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/](https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/)\n",
"text": "`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy",
"id": "terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy",
"name": "terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1220: Insufficient Granularity of Access Control",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`."
},
"help": {
"markdown": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.wildcard-assume-role.wildcard-assume-role)\n - [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/)\n",
"text": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.wildcard-assume-role.wildcard-assume-role",
"id": "terraform.aws.security.wildcard-assume-role.wildcard-assume-role",
"name": "terraform.aws.security.wildcard-assume-role.wildcard-assume-role",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.wildcard-assume-role.wildcard-assume-role"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Registering the identity used by an App with AD allows it to interact with other services without using username and password. Set the `identity` block in your appservice."
},
"help": {
"markdown": "Registering the identity used by an App with AD allows it to interact with other services without using username and password. Set the `identity` block in your appservice.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#identity)\n",
"text": "Registering the identity used by an App with AD allows it to interact with other services without using username and password. Set the `identity` block in your appservice.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered",
"id": "terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered",
"name": "terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings"
},
"help": {
"markdown": "Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#auth_settings](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#auth_settings)\n",
"text": "Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled",
"id": "terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled",
"name": "terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block"
},
"help": {
"markdown": "Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled)\n",
"text": "Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2",
"id": "terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2",
"name": "terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2",
"properties": {
"precision": "very-high",
"tags": [
"CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "By default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting."
},
"help": {
"markdown": "By default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only)\n - [https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https](https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https)\n",
"text": "By default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only",
"id": "terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only",
"name": "terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Detected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block."
},
"help": {
"markdown": "Detected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#client_cert_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#client_cert_enabled)\n",
"text": "Detected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert",
"id": "terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert",
"name": "terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = \"1.2\"` in your resource block."
},
"help": {
"markdown": "Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = \"1.2\"` in your resource block.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version)\n",
"text": "Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = \"1.2\"` in your resource block.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy",
"id": "terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy",
"name": "terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings"
},
"help": {
"markdown": "Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#enabled)\n",
"text": "Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled",
"id": "terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled",
"name": "terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your function app resource block"
},
"help": {
"markdown": "Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your function app resource block\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#http2_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#http2_enabled)\n",
"text": "Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your function app resource block\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2",
"id": "terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2",
"name": "terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2",
"properties": {
"precision": "very-high",
"tags": [
"CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Key vault Secret should have a content type set"
},
"help": {
"markdown": "Key vault Secret should have a content type set\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#content_type](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#content_type)\n - [https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets](https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets)\n",
"text": "Key vault Secret should have a content type set\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret",
"id": "terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret",
"name": "terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Ensure that the expiration date is set on all keys"
},
"help": {
"markdown": "Ensure that the expiration date is set on all keys\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key#expiration_date](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key#expiration_date)\n - [https://docs.microsoft.com/en-us/powershell/module/az.keyvault/update-azkeyvaultkey?view=azps-5.8.0#example-1--modify-a-key-to-enable-it--and-set-the-expiration-date-and-tags](https://docs.microsoft.com/en-us/powershell/module/az.keyvault/update-azkeyvaultkey?view=azps-5.8.0#example-1--modify-a-key-to-enable-it--and-set-the-expiration-date-and-tags)\n",
"text": "Ensure that the expiration date is set on all keys\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires",
"id": "terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires",
"name": "terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires",
"properties": {
"precision": "very-high",
"tags": [
"CWE-262: Not Using Password Aging",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Ensure that the expiration date is set on all secrets"
},
"help": {
"markdown": "Ensure that the expiration date is set on all secrets\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#expiration_date](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#expiration_date)\n - [https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets](https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets)\n",
"text": "Ensure that the expiration date is set on all secrets\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires",
"id": "terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires",
"name": "terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires",
"properties": {
"precision": "very-high",
"tags": [
"CWE-262: Not Using Password Aging",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Key vault should have purge protection enabled"
},
"help": {
"markdown": "Key vault should have purge protection enabled\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#purge_protection_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#purge_protection_enabled)\n - [https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview#purge-protection](https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview#purge-protection)\n",
"text": "Key vault should have purge protection enabled\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled",
"id": "terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled",
"name": "terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-693: Protection Mechanism Failure",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass."
},
"help": {
"markdown": "Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls)\n - [https://docs.microsoft.com/en-us/azure/key-vault/general/network-security](https://docs.microsoft.com/en-us/azure/key-vault/general/network-security)\n",
"text": "Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl",
"id": "terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl",
"name": "terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1220: Insufficient Granularity of Access Control",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Some Microsoft services that interact with storage accounts operate from networks that can\u0027t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules"
},
"help": {
"markdown": "Some Microsoft services that interact with storage accounts operate from networks that can\u0027t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#bypass](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#bypass)\n - [https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services](https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services)\n",
"text": "Some Microsoft services that interact with storage accounts operate from networks that can\u0027t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass",
"id": "terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass",
"name": "terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1220: Insufficient Granularity of Access Control",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block."
},
"help": {
"markdown": "Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action)\n - [https://docs.microsoft.com/en-us/azure/firewall/rule-processing](https://docs.microsoft.com/en-us/azure/firewall/rule-processing)\n",
"text": "Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny",
"id": "terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny",
"name": "terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny",
"properties": {
"precision": "very-high",
"tags": [
"CWE-16: CWE CATEGORY: Configuration",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block."
},
"help": {
"markdown": "Detected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-enforce-https.storage-enforce-https)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#enable_https_traffic_only](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#enable_https_traffic_only)\n - [https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer](https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer)\n",
"text": "Detected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.storage.storage-enforce-https.storage-enforce-https",
"id": "terraform.azure.security.storage.storage-enforce-https.storage-enforce-https",
"name": "terraform.azure.security.storage.storage-enforce-https.storage-enforce-https",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.storage.storage-enforce-https.storage-enforce-https"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Storage Analytics logs detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis."
},
"help": {
"markdown": "Storage Analytics logs detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#logging](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#logging)\n - [https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?tabs=dotnet](https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?tabs=dotnet)\n",
"text": "Storage Analytics logs detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging",
"id": "terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging",
"name": "terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging",
"properties": {
"precision": "very-high",
"tags": [
"CWE-778: Insufficient Logging",
"LOW CONFIDENCE",
"OWASP-A09:2021 - Security Logging and Monitoring Failures",
"OWASP-A10:2017 - Insufficient Logging \u0026 Monitoring",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2."
},
"help": {
"markdown": "Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version)\n - [https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version](https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version)\n",
"text": "Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy",
"id": "terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy",
"name": "terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure all Cloud SQL database instance require incoming connections to use SSL. To enable this for PostgresSQL and MySQL, use `ssl_mode=\"TRUSTED_CLIENT_CERTIFICATE_REQUIRED\"`."
},
"help": {
"markdown": "Ensure all Cloud SQL database instance require incoming connections to use SSL. To enable this for PostgresSQL and MySQL, use `ssl_mode=\"TRUSTED_CLIENT_CERTIFICATE_REQUIRED\"`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql)\n - [https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration](https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure all Cloud SQL database instance require incoming connections to use SSL. To enable this for PostgresSQL and MySQL, use `ssl_mode=\"TRUSTED_CLIENT_CERTIFICATE_REQUIRED\"`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql",
"id": "terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql",
"name": "terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure all Cloud SQL database instance require incoming connections to use SSL. For SQL Server, `ssl_mode=\"ENCRYPTED_ONLY\"` is the most secure value that is supported."
},
"help": {
"markdown": "Ensure all Cloud SQL database instance require incoming connections to use SSL. For SQL Server, `ssl_mode=\"ENCRYPTED_ONLY\"` is the most secure value that is supported.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver)\n - [https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration](https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure all Cloud SQL database instance require incoming connections to use SSL. For SQL Server, `ssl_mode=\"ENCRYPTED_ONLY\"` is the most secure value that is supported.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver",
"id": "terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver",
"name": "terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The ECR Repository isn\u0027t configured to scan images on push"
},
"help": {
"markdown": "The ECR Repository isn\u0027t configured to scan images on push\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push)\n - [https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components](https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components)\n",
"text": "The ECR Repository isn\u0027t configured to scan images on push\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push",
"id": "terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push",
"name": "terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1104: Use of Unmaintained Third Party Components",
"LOW CONFIDENCE",
"OWASP-A06:2021 - Vulnerable and Outdated Components",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Missing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs (\"api\") and audit logs (\"audit\") of the EKS control plane through the enabled_cluster_log_types attribute."
},
"help": {
"markdown": "Missing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs (\"api\") and audit logs (\"audit\") of the EKS control plane through the enabled_cluster_log_types attribute.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabling-control-plane-logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabling-control-plane-logging)\n - [https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html](https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html)\n",
"text": "Missing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs (\"api\") and audit logs (\"audit\") of the EKS control plane through the enabled_cluster_log_types attribute.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging",
"id": "terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging",
"name": "terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging",
"properties": {
"precision": "very-high",
"tags": [
"CWE-778: Insufficient Logging",
"LOW CONFIDENCE",
"OWASP-A09:2021 - Security Logging and Monitoring Failures",
"OWASP-A10:2017 - Insufficient Logging \u0026 Monitoring",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access"
},
"help": {
"markdown": "The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled",
"id": "terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled",
"name": "terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Encryption at rest is not enabled for the elastic search domain resource"
},
"help": {
"markdown": "Encryption at rest is not enabled for the elastic search domain resource\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Encryption at rest is not enabled for the elastic search domain resource\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest",
"id": "terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest",
"name": "terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "IAM policies that allow full \"*-*\" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE"
},
"help": {
"markdown": "IAM policies that allow full \"*-*\" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges)\n - [https://github.com/bridgecrewio/checkov/blob/master/checkov/terraform/checks/data/aws/AdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/master/checkov/terraform/checks/data/aws/AdminPolicyDocument.py)\n",
"text": "IAM policies that allow full \"*-*\" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges",
"id": "terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges",
"name": "terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure IAM policies don\u0027t allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn\u0027t return sensitive data as part of the API response."
},
"help": {
"markdown": "Ensure IAM policies don\u0027t allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn\u0027t return sensitive data as part of the API response.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/](https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py)\n",
"text": "Ensure IAM policies don\u0027t allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn\u0027t return sensitive data as part of the API response.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure",
"id": "terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure",
"name": "terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure that IAM policies don\u0027t allow data exfiltration actions that are not resource-constrained. This can allow the user to read sensitive data they don\u0027t need to read. Instead, make sure that the user granted these privileges are given these permissions on specific resources."
},
"help": {
"markdown": "Ensure that IAM policies don\u0027t allow data exfiltration actions that are not resource-constrained. This can allow the user to read sensitive data they don\u0027t need to read. Instead, make sure that the user granted these privileges are given these permissions on specific resources.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMDataExfiltration.py)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/](https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/)\n",
"text": "Ensure that IAM policies don\u0027t allow data exfiltration actions that are not resource-constrained. This can allow the user to read sensitive data they don\u0027t need to read. Instead, make sure that the user granted these privileges are given these permissions on specific resources.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration",
"id": "terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration",
"name": "terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions."
},
"help": {
"markdown": "Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs)\n - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/)\n",
"text": "Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs",
"id": "terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs",
"name": "terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure that IAM policies with permissions on other users don\u0027t allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE"
},
"help": {
"markdown": "Ensure that IAM policies with permissions on other users don\u0027t allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py)\n",
"text": "Ensure that IAM policies with permissions on other users don\u0027t allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users",
"id": "terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users",
"name": "terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure that groups of actions that include iam:PassRole and could result in privilege escalation are not all allowed for the same user. These actions could result in an attacker gaining full admin access of an AWS account. Try not to use these actions in conjuction."
},
"help": {
"markdown": "Ensure that groups of actions that include iam:PassRole and could result in privilege escalation are not all allowed for the same user. These actions could result in an attacker gaining full admin access of an AWS account. Try not to use these actions in conjuction.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/)\n - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)\n",
"text": "Ensure that groups of actions that include iam:PassRole and could result in privilege escalation are not all allowed for the same user. These actions could result in an attacker gaining full admin access of an AWS account. Try not to use these actions in conjuction.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles",
"id": "terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles",
"name": "terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure IAM policies don\u0027t allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn\u0027t expose AWS resources."
},
"help": {
"markdown": "Ensure IAM policies don\u0027t allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn\u0027t expose AWS resources.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/](https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py)\n",
"text": "Ensure IAM policies don\u0027t allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn\u0027t expose AWS resources.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure",
"id": "terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure",
"name": "terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure that no IAM policies allow \"*\" as a statement\u0027s actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take."
},
"help": {
"markdown": "Ensure that no IAM policies allow \"*\" as a statement\u0027s actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py)\n",
"text": "Ensure that no IAM policies allow \"*\" as a statement\u0027s actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions",
"id": "terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions",
"name": "terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource."
},
"help": {
"markdown": "RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password)\n - [https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password)\n",
"text": "RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code",
"id": "terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code",
"name": "terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "RDS instance accessible from the Internet detected."
},
"help": {
"markdown": "RDS instance accessible from the Internet detected.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.rds-public-access.rds-public-access)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible)\n - [https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Hiding](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Hiding)\n",
"text": "RDS instance accessible from the Internet detected.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.rds-public-access.rds-public-access",
"id": "terraform.lang.security.rds-public-access.rds-public-access",
"name": "terraform.lang.security.rds-public-access.rds-public-access",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1220: Insufficient Granularity of Access Control",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.rds-public-access.rds-public-access"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "CORS rule on bucket permits any origin"
},
"help": {
"markdown": "CORS rule on bucket permits any origin\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.s3-cors-all-origins.all-origins-allowed)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#using-cors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#using-cors)\n",
"text": "CORS rule on bucket permits any origin\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.s3-cors-all-origins.all-origins-allowed",
"id": "terraform.lang.security.s3-cors-all-origins.all-origins-allowed",
"name": "terraform.lang.security.s3-cors-all-origins.all-origins-allowed",
"properties": {
"precision": "very-high",
"tags": [
"CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.s3-cors-all-origins.all-origins-allowed"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "S3 bucket with public read access detected."
},
"help": {
"markdown": "S3 bucket with public read access detected.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl)\n - [https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl)\n",
"text": "S3 bucket with public read access detected.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket",
"id": "terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket",
"name": "terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "S3 bucket with public read-write access detected."
},
"help": {
"markdown": "S3 bucket with public read-write access detected.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl)\n - [https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl)\n",
"text": "S3 bucket with public read-write access detected.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket",
"id": "terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket",
"name": "terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info."
},
"help": {
"markdown": "This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html)\n",
"text": "This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket",
"id": "terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket",
"name": "terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference"
},
"help": {
"markdown": "Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable)\n - [https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/](https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/)\n",
"text": "Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable",
"id": "trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable",
"name": "trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable",
"properties": {
"precision": "very-high",
"tags": [
"CWE-665: Improper Initialization",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Iteration over a possibly empty map `$C`. This is likely a bug or redundant code"
},
"help": {
"markdown": "Iteration over a possibly empty map `$C`. This is likely a bug or redundant code\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map)\n - [https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/](https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/)\n",
"text": "Iteration over a possibly empty map `$C`. This is likely a bug or redundant code\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map",
"id": "trailofbits.go.iterate-over-empty-map.iterate-over-empty-map",
"name": "trailofbits.go.iterate-over-empty-map.iterate-over-empty-map",
"properties": {
"precision": "very-high",
"tags": [
"CWE-665: Improper Initialization",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.iterate-over-empty-map.iterate-over-empty-map"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Missing `RUnlock` on an `RWMutex` (`$T` variable) lock before returning from a function"
},
"help": {
"markdown": "Missing `RUnlock` on an `RWMutex` (`$T` variable) lock before returning from a function\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex)\n - [https://pkg.go.dev/sync#RWMutex](https://pkg.go.dev/sync#RWMutex)\n - [https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/](https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/)\n",
"text": "Missing `RUnlock` on an `RWMutex` (`$T` variable) lock before returning from a function\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex",
"id": "trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex",
"name": "trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex",
"properties": {
"precision": "very-high",
"tags": [
"CWE-667: Improper Locking",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations"
},
"help": {
"markdown": "Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return)\n - [https://pkg.go.dev/sync#Mutex](https://pkg.go.dev/sync#Mutex)\n - [https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/](https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/)\n",
"text": "Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return",
"id": "trailofbits.go.missing-unlock-before-return.missing-unlock-before-return",
"name": "trailofbits.go.missing-unlock-before-return.missing-unlock-before-return",
"properties": {
"precision": "very-high",
"tags": [
"CWE-667: Improper Locking",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.missing-unlock-before-return.missing-unlock-before-return"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Appending `$SLICE` from multiple goroutines is not concurrency safe"
},
"help": {
"markdown": "Appending `$SLICE` from multiple goroutines is not concurrency safe\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.racy-append-to-slice.racy-append-to-slice)\n - [https://go.dev/blog/maps#concurrency](https://go.dev/blog/maps#concurrency)\n",
"text": "Appending `$SLICE` from multiple goroutines is not concurrency safe\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.racy-append-to-slice.racy-append-to-slice",
"id": "trailofbits.go.racy-append-to-slice.racy-append-to-slice",
"name": "trailofbits.go.racy-append-to-slice.racy-append-to-slice",
"properties": {
"precision": "very-high",
"tags": [
"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.racy-append-to-slice.racy-append-to-slice"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Writing `$MAP` from multiple goroutines is not concurrency safe"
},
"help": {
"markdown": "Writing `$MAP` from multiple goroutines is not concurrency safe\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.racy-write-to-map.racy-write-to-map)\n - [https://go.dev/blog/maps#concurrency](https://go.dev/blog/maps#concurrency)\n",
"text": "Writing `$MAP` from multiple goroutines is not concurrency safe\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.racy-write-to-map.racy-write-to-map",
"id": "trailofbits.go.racy-write-to-map.racy-write-to-map",
"name": "trailofbits.go.racy-write-to-map.racy-write-to-map",
"properties": {
"precision": "very-high",
"tags": [
"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.racy-write-to-map.racy-write-to-map"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does not handle `nil` argument, as the `ServerCodec` interface requires. An incorrect implementation could lead to denial of service"
},
"help": {
"markdown": "The `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does not handle `nil` argument, as the `ServerCodec` interface requires. An incorrect implementation could lead to denial of service\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil)\n - [https://github.com/golang/go/blob/go1.15.2/src/net/rpc/server.go#L643-L658](https://github.com/golang/go/blob/go1.15.2/src/net/rpc/server.go#L643-L658)\n",
"text": "The `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does not handle `nil` argument, as the `ServerCodec` interface requires. An incorrect implementation could lead to denial of service\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil",
"id": "trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil",
"name": "trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil",
"properties": {
"precision": "very-high",
"tags": [
"CWE-476: NULL Pointer Dereference",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Downcasting or changing sign of an integer with `$CAST_METHOD` method"
},
"help": {
"markdown": "Downcasting or changing sign of an integer with `$CAST_METHOD` method\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast)\n - [https://github.com/golang/go/issues/30209](https://github.com/golang/go/issues/30209)\n",
"text": "Downcasting or changing sign of an integer with `$CAST_METHOD` method\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast",
"id": "trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast",
"name": "trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast",
"properties": {
"precision": "very-high",
"tags": [
"CWE-681: Incorrect Conversion between Numeric Types",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended"
},
"help": {
"markdown": "A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied)\n - [https://go101.org/article/concurrent-common-mistakes.html](https://go101.org/article/concurrent-common-mistakes.html)\n",
"text": "A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied",
"id": "trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied",
"name": "trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied",
"properties": {
"precision": "very-high",
"tags": [
"CWE-688: Function Call With Incorrect Variable or Reference as Argument",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Calling `$WG.Add` inside of an anonymous goroutine may result in `$WG.Wait`\nwaiting for more or less calls to `$WG.Done()` than expected\n"
},
"help": {
"markdown": "Calling `$WG.Add` inside of an anonymous goroutine may result in `$WG.Wait`\nwaiting for more or less calls to `$WG.Done()` than expected\n\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine)\n - [https://go101.org/article/concurrent-common-mistakes.html](https://go101.org/article/concurrent-common-mistakes.html)\n",
"text": "Calling `$WG.Add` inside of an anonymous goroutine may result in `$WG.Wait`\nwaiting for more or less calls to `$WG.Done()` than expected\n\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine",
"id": "trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine",
"name": "trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine",
"properties": {
"precision": "very-high",
"tags": [
"CWE-667: Improper Locking",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Calling `$WG.Wait()` inside a loop blocks the call to `$WG.Done()`"
},
"help": {
"markdown": "Calling `$WG.Wait()` inside a loop blocks the call to `$WG.Done()`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop)\n - [https://go101.org/article/concurrent-common-mistakes.html](https://go101.org/article/concurrent-common-mistakes.html)\n",
"text": "Calling `$WG.Wait()` inside a loop blocks the call to `$WG.Done()`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop",
"id": "trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop",
"name": "trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop",
"properties": {
"precision": "very-high",
"tags": [
"CWE-667: Improper Locking",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency"
},
"help": {
"markdown": "If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning)\n - [https://pytorch.org/docs/stable/data.html#memory-pinning](https://pytorch.org/docs/stable/data.html#memory-pinning)\n",
"text": "If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning",
"id": "trailofbits.python.automatic-memory-pinning.automatic-memory-pinning",
"name": "trailofbits.python.automatic-memory-pinning.automatic-memory-pinning",
"properties": {
"precision": "very-high",
"tags": [
"CWE-676: Use of Potentially Dangerous Function",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.python.automatic-memory-pinning.automatic-memory-pinning"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found usage of the `$FLAVOR` library, which is vulnerable to attacks such as XML external entity (XXE) attacks"
},
"help": {
"markdown": "Found usage of the `$FLAVOR` library, which is vulnerable to attacks such as XML external entity (XXE) attacks\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.lxml-in-pandas.lxml-in-pandas)\n - [https://lxml.de/FAQ.html](https://lxml.de/FAQ.html)\n",
"text": "Found usage of the `$FLAVOR` library, which is vulnerable to attacks such as XML external entity (XXE) attacks\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.python.lxml-in-pandas.lxml-in-pandas",
"id": "trailofbits.python.lxml-in-pandas.lxml-in-pandas",
"name": "trailofbits.python.lxml-in-pandas.lxml-in-pandas",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.python.lxml-in-pandas.lxml-in-pandas"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Usage of NumPy library inside PyTorch `$MODULE` module was found. Avoid mixing these libraries for efficiency and proper ONNX loading"
},
"help": {
"markdown": "Usage of NumPy library inside PyTorch `$MODULE` module was found. Avoid mixing these libraries for efficiency and proper ONNX loading\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules)\n - [https://tanelp.github.io/posts/a-bug-that-plagues-thousands-of-open-source-ml-projects](https://tanelp.github.io/posts/a-bug-that-plagues-thousands-of-open-source-ml-projects)\n",
"text": "Usage of NumPy library inside PyTorch `$MODULE` module was found. Avoid mixing these libraries for efficiency and proper ONNX loading\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules",
"id": "trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules",
"name": "trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules",
"properties": {
"precision": "very-high",
"tags": [
"MEDIUM CONFIDENCE"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method"
},
"help": {
"markdown": "Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.pickles-in-numpy.pickles-in-numpy)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n",
"text": "Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.python.pickles-in-numpy.pickles-in-numpy",
"id": "trailofbits.python.pickles-in-numpy.pickles-in-numpy",
"name": "trailofbits.python.pickles-in-numpy.pickles-in-numpy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.python.pickles-in-numpy.pickles-in-numpy"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method"
},
"help": {
"markdown": "Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.pickles-in-pandas.pickles-in-pandas)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n",
"text": "Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.python.pickles-in-pandas.pickles-in-pandas",
"id": "trailofbits.python.pickles-in-pandas.pickles-in-pandas",
"name": "trailofbits.python.pickles-in-pandas.pickles-in-pandas",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.python.pickles-in-pandas.pickles-in-pandas"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX"
},
"help": {
"markdown": "Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n",
"text": "Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch",
"id": "trailofbits.python.pickles-in-pytorch.pickles-in-pytorch",
"name": "trailofbits.python.pickles-in-pytorch.pickles-in-pytorch",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.python.pickles-in-pytorch.pickles-in-pytorch"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker"
},
"help": {
"markdown": "Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal)\n - [https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall](https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall)\n",
"text": "Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal",
"id": "trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal",
"name": "trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the use of `$TRUST`. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use `$TRUST`, ensure it does not come from user-input or use the appropriate prevention mechanism e.g. input validation or sanitization depending on the context."
},
"help": {
"markdown": "Detected the use of `$TRUST`. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use `$TRUST`, ensure it does not come from user-input or use the appropriate prevention mechanism e.g. input validation or sanitization depending on the context.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust)\n - [https://angular.io/api/platform-browser/DomSanitizer](https://angular.io/api/platform-browser/DomSanitizer)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n",
"text": "Detected the use of `$TRUST`. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use `$TRUST`, ensure it does not come from user-input or use the appropriate prevention mechanism e.g. input validation or sanitization depending on the context.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust",
"id": "typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust",
"name": "typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X"
},
"help": {
"markdown": "Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\n",
"text": "Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption",
"id": "typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption",
"name": "typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true"
},
"help": {
"markdown": "Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\n",
"text": "Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl",
"id": "typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl",
"name": "typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Queue $X is missing encryption at rest. Add \"encryption: $Y.QueueEncryption.KMS\" or \"encryption: $Y.QueueEncryption.KMS_MANAGED\" to the queue props to enable encryption at rest for the queue."
},
"help": {
"markdown": "Queue $X is missing encryption at rest. Add \"encryption: $Y.QueueEncryption.KMS\" or \"encryption: $Y.QueueEncryption.KMS_MANAGED\" to the queue props to enable encryption at rest for the queue.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue)\n - [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-data-protection.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-data-protection.html)\n",
"text": "Queue $X is missing encryption at rest. Add \"encryption: $Y.QueueEncryption.KMS\" or \"encryption: $Y.QueueEncryption.KMS_MANAGED\" to the queue props to enable encryption at rest for the queue.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue",
"id": "typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue",
"name": "typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using the GrantPublicAccess method on bucket contruct $X will make the objects in the bucket world accessible. Verify if this is intentional."
},
"help": {
"markdown": "Using the GrantPublicAccess method on bucket contruct $X will make the objects in the bucket world accessible. Verify if this is intentional.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html)\n",
"text": "Using the GrantPublicAccess method on bucket contruct $X will make the objects in the bucket world accessible. Verify if this is intentional.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod",
"id": "typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod",
"name": "typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod",
"properties": {
"precision": "very-high",
"tags": [
"CWE-306: Missing Authentication for Critical Function",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project."
},
"help": {
"markdown": "CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public)\n - [https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html](https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html)\n",
"text": "CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public",
"id": "typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public",
"name": "typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public",
"properties": {
"precision": "very-high",
"tags": [
"CWE-306: Missing Authentication for Critical Function",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Unescaped \u0027.\u0027 character in CORS domain regex $CORS: $PATTERN"
},
"help": {
"markdown": "Unescaped \u0027.\u0027 character in CORS domain regex $CORS: $PATTERN\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Unescaped \u0027.\u0027 character in CORS domain regex $CORS: $PATTERN\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard",
"id": "typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard",
"name": "typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard",
"properties": {
"precision": "very-high",
"tags": [
"CWE-183: Permissive List of Allowed Inputs",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."
},
"help": {
"markdown": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any",
"id": "typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any",
"name": "typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any",
"properties": {
"precision": "very-high",
"tags": [
"CWE-183: Permissive List of Allowed Inputs",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "X-XSS-Protection header is set to 0. This will disable the browser\u0027s XSS Filter."
},
"help": {
"markdown": "X-XSS-Protection header is set to 0. This will disable the browser\u0027s XSS Filter.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "X-XSS-Protection header is set to 0. This will disable the browser\u0027s XSS Filter.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled",
"id": "typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled",
"name": "typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Untrusted user input in {url: ...} can result in Open Redirect vulnerability."
},
"help": {
"markdown": "Untrusted user input in {url: ...} can result in Open Redirect vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Untrusted user input in {url: ...} can result in Open Redirect vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect",
"id": "typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect",
"name": "typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detection of dangerouslySetInnerHTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize your HTML."
},
"help": {
"markdown": "Detection of dangerouslySetInnerHTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml)\n - [https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html](https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html)\n",
"text": "Detection of dangerouslySetInnerHTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml",
"id": "typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml",
"name": "typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Property decoded from JWT token without verifying and cannot be trustworthy."
},
"help": {
"markdown": "Property decoded from JWT token without verifying and cannot be trustworthy.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property)\n - [https://pragmaticwebsecurity.com/articles/oauthoidc/localstorage-xss.html](https://pragmaticwebsecurity.com/articles/oauthoidc/localstorage-xss.html)\n",
"text": "Property decoded from JWT token without verifying and cannot be trustworthy.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property",
"id": "typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property",
"name": "typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property",
"properties": {
"precision": "very-high",
"tags": [
"CWE-922: Insecure Storage of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie."
},
"help": {
"markdown": "Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies)\n",
"text": "Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage",
"id": "typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage",
"name": "typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage",
"properties": {
"precision": "very-high",
"tags": [
"CWE-922: Insecure Storage of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML."
},
"help": {
"markdown": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method)\n - [https://developer.mozilla.org/en-US/docs/Web/API/Document/writeln](https://developer.mozilla.org/en-US/docs/Web/API/Document/writeln)\n - [https://developer.mozilla.org/en-US/docs/Web/API/Document/write](https://developer.mozilla.org/en-US/docs/Web/API/Document/write)\n - [https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML)\n",
"text": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method",
"id": "typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method",
"name": "typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Unencrypted request over HTTP detected."
},
"help": {
"markdown": "Unencrypted request over HTTP detected.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request)\n - [https://www.npmjs.com/package/axios](https://www.npmjs.com/package/axios)\n",
"text": "Unencrypted request over HTTP detected.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request",
"id": "typescript.react.security.react-insecure-request.react-insecure-request",
"name": "typescript.react.security.react-insecure-request.react-insecure-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.react.security.react-insecure-request.react-insecure-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors."
},
"help": {
"markdown": "Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html)\n - [https://www.npmjs.com/package/react-markdown#security](https://www.npmjs.com/package/react-markdown#security)\n",
"text": "Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html",
"id": "typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html",
"name": "typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Using input or workflow parameters in here-scripts can lead to command injection or code injection. Convert the parameters to env variables instead."
},
"help": {
"markdown": "Using input or workflow parameters in here-scripts can lead to command injection or code injection. Convert the parameters to env variables instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection)\n - [https://github.com/argoproj/argo-workflows/issues/5061](https://github.com/argoproj/argo-workflows/issues/5061)\n - [https://github.com/argoproj/argo-workflows/issues/5114#issue-808865370](https://github.com/argoproj/argo-workflows/issues/5114#issue-808865370)\n",
"text": "Using input or workflow parameters in here-scripts can lead to command injection or code injection. Convert the parameters to env variables instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection",
"id": "yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection",
"name": "yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 \u2013 Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Exposing host\u0027s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove \u0027docker.sock\u0027 from volumes to prevent this."
},
"help": {
"markdown": "Exposing host\u0027s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove \u0027docker.sock\u0027 from volumes to prevent this.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume)\n - [https://docs.docker.com/compose/compose-file/compose-file-v3/#volume-configuration-reference](https://docs.docker.com/compose/compose-file/compose-file-v3/#volume-configuration-reference)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers)\n",
"text": "Exposing host\u0027s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove \u0027docker.sock\u0027 from volumes to prevent this.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume",
"id": "yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume",
"name": "yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Service \u0027$SERVICE\u0027 allows for privilege escalation via setuid or setgid binaries. Add \u0027no-new-privileges:true\u0027 in \u0027security_opt\u0027 to prevent this."
},
"help": {
"markdown": "Service \u0027$SERVICE\u0027 allows for privilege escalation via setuid or setgid binaries. Add \u0027no-new-privileges:true\u0027 in \u0027security_opt\u0027 to prevent this.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges)\n - [https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n",
"text": "Service \u0027$SERVICE\u0027 allows for privilege escalation via setuid or setgid binaries. Add \u0027no-new-privileges:true\u0027 in \u0027security_opt\u0027 to prevent this.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges",
"id": "yaml.docker-compose.security.no-new-privileges.no-new-privileges",
"name": "yaml.docker-compose.security.no-new-privileges.no-new-privileges",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.docker-compose.security.no-new-privileges.no-new-privileges"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Service \u0027$SERVICE\u0027 is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the \u0027privileged\u0027 key to disable this capability."
},
"help": {
"markdown": "Service \u0027$SERVICE\u0027 is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the \u0027privileged\u0027 key to disable this capability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service)\n - [https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html](https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html)\n - [https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/](https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/)\n",
"text": "Service \u0027$SERVICE\u0027 is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the \u0027privileged\u0027 key to disable this capability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service",
"id": "yaml.docker-compose.security.privileged-service.privileged-service",
"name": "yaml.docker-compose.security.privileged-service.privileged-service",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"HIGH CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.docker-compose.security.privileged-service.privileged-service"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Service \u0027$SERVICE\u0027 is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove \u0027seccomp:unconfined\u0027 to prevent this."
},
"help": {
"markdown": "Service \u0027$SERVICE\u0027 is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove \u0027seccomp:unconfined\u0027 to prevent this.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled)\n - [https://docs.docker.com/engine/security/seccomp/](https://docs.docker.com/engine/security/seccomp/)\n",
"text": "Service \u0027$SERVICE\u0027 is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove \u0027seccomp:unconfined\u0027 to prevent this.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled",
"id": "yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled",
"name": "yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-284: Improper Access Control",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Service \u0027$SERVICE\u0027 is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove \u0027label:disable\u0027 to prevent this."
},
"help": {
"markdown": "Service \u0027$SERVICE\u0027 is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove \u0027label:disable\u0027 to prevent this.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled)\n - [https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/](https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/)\n - [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration)\n",
"text": "Service \u0027$SERVICE\u0027 is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove \u0027label:disable\u0027 to prevent this.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled",
"id": "yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled",
"name": "yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-284: Improper Access Control",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Service \u0027$SERVICE\u0027 is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add \u0027read_only: true\u0027 to this service to prevent this."
},
"help": {
"markdown": "Service \u0027$SERVICE\u0027 is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add \u0027read_only: true\u0027 to this service to prevent this.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service)\n - [https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir](https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir)\n - [https://blog.atomist.com/security-of-docker-kubernetes/](https://blog.atomist.com/security-of-docker-kubernetes/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only)\n",
"text": "Service \u0027$SERVICE\u0027 is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add \u0027read_only: true\u0027 to this service to prevent this.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service",
"id": "yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service",
"name": "yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The environment variable `ACTIONS_ALLOW_UNSECURE_COMMANDS` grants this workflow permissions to use the `set-env` and `add-path` commands. There is a vulnerability in these commands that could result in environment variables being modified by an attacker. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. This could result in stolen code or secrets. Don\u0027t use `ACTIONS_ALLOW_UNSECURE_COMMANDS`. Instead, use Environment Files. See https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files for more information."
},
"help": {
"markdown": "The environment variable `ACTIONS_ALLOW_UNSECURE_COMMANDS` grants this workflow permissions to use the `set-env` and `add-path` commands. There is a vulnerability in these commands that could result in environment variables being modified by an attacker. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. This could result in stolen code or secrets. Don\u0027t use `ACTIONS_ALLOW_UNSECURE_COMMANDS`. Instead, use Environment Files. See https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands)\n - [https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/](https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/)\n - [https://github.com/actions/toolkit/security/advisories/GHSA-mfwh-5m23-j46w](https://github.com/actions/toolkit/security/advisories/GHSA-mfwh-5m23-j46w)\n - [https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files](https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files)\n",
"text": "The environment variable `ACTIONS_ALLOW_UNSECURE_COMMANDS` grants this workflow permissions to use the `set-env` and `add-path` commands. There is a vulnerability in these commands that could result in environment variables being modified by an attacker. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. This could result in stolen code or secrets. Don\u0027t use `ACTIONS_ALLOW_UNSECURE_COMMANDS`. Instead, use Environment Files. See https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands",
"id": "yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands",
"name": "yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands",
"properties": {
"precision": "very-high",
"tags": [
"CWE-749: Exposed Dangerous Method or Function",
"MEDIUM CONFIDENCE",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity."
},
"help": {
"markdown": "Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.curl-eval.curl-eval)\n - [https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\n",
"text": "Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.github-actions.security.curl-eval.curl-eval",
"id": "yaml.github-actions.security.curl-eval.curl-eval",
"name": "yaml.github-actions.security.curl-eval.curl-eval",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.github-actions.security.curl-eval.curl-eval"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`\u0027s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"."
},
"help": {
"markdown": "Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`\u0027s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection)\n - [https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\n - [https://securitylab.github.com/research/github-actions-untrusted-input/](https://securitylab.github.com/research/github-actions-untrusted-input/)\n - [https://github.com/actions/github-script](https://github.com/actions/github-script)\n",
"text": "Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`\u0027s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection",
"id": "yaml.github-actions.security.github-script-injection.github-script-injection",
"name": "yaml.github-actions.security.github-script-injection.github-script-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.github-actions.security.github-script-injection.github-script-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This GitHub Actions workflow file uses `pull_request_target` and checks out code from the incoming pull request. When using `pull_request_target`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you\u0027re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations."
},
"help": {
"markdown": "This GitHub Actions workflow file uses `pull_request_target` and checks out code from the incoming pull request. When using `pull_request_target`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you\u0027re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout)\n - [https://securitylab.github.com/research/github-actions-preventing-pwn-requests/](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)\n - [https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md](https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md)\n",
"text": "This GitHub Actions workflow file uses `pull_request_target` and checks out code from the incoming pull request. When using `pull_request_target`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you\u0027re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout",
"id": "yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout",
"name": "yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout",
"properties": {
"precision": "very-high",
"tags": [
"CWE-913: Improper Control of Dynamically-Managed Code Resources",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"."
},
"help": {
"markdown": "Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection)\n - [https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\n - [https://securitylab.github.com/research/github-actions-untrusted-input/](https://securitylab.github.com/research/github-actions-untrusted-input/)\n",
"text": "Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection",
"id": "yaml.github-actions.security.run-shell-injection.run-shell-injection",
"name": "yaml.github-actions.security.run-shell-injection.run-shell-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you\u0027re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations."
},
"help": {
"markdown": "This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you\u0027re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout)\n - [https://securitylab.github.com/research/github-actions-preventing-pwn-requests/](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)\n - [https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md](https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md)\n - [https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)\n",
"text": "This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you\u0027re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout",
"id": "yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout",
"name": "yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout",
"properties": {
"precision": "very-high",
"tags": [
"CWE-913: Improper Control of Dynamically-Managed Code Resources",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks."
},
"help": {
"markdown": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n",
"text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext",
"id": "yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext",
"name": "yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks."
},
"help": {
"markdown": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n",
"text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true",
"id": "yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true",
"name": "yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` parameter to your the `securityContext`, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks."
},
"help": {
"markdown": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` parameter to your the `securityContext`, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n",
"text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` parameter to your the `securityContext`, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation",
"id": "yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation",
"name": "yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Do not set FLASK_ENV to \"development\" since that sets `debug=True` in Flask. Use \"dev\" or a similar term instead."
},
"help": {
"markdown": "Do not set FLASK_ENV to \"development\" since that sets `debug=True` in Flask. Use \"dev\" or a similar term instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled)\n - [https://flask.palletsprojects.com/en/2.0.x/debugging/](https://flask.palletsprojects.com/en/2.0.x/debugging/)\n - [https://flask.palletsprojects.com/en/2.0.x/config/#ENV](https://flask.palletsprojects.com/en/2.0.x/config/#ENV)\n",
"text": "Do not set FLASK_ENV to \"development\" since that sets `debug=True` in Flask. Use \"dev\" or a similar term instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled",
"id": "yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled",
"name": "yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-489: Active Debug Code",
"LOW CONFIDENCE",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Exposing host\u0027s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove \u0027docker.sock\u0027 from hostpath to prevent this."
},
"help": {
"markdown": "Exposing host\u0027s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove \u0027docker.sock\u0027 from hostpath to prevent this.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath)\n - [https://kubernetes.io/docs/concepts/storage/volumes/#hostpath](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers)\n",
"text": "Exposing host\u0027s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove \u0027docker.sock\u0027 from hostpath to prevent this.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath",
"id": "yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath",
"name": "yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Pod is sharing the host IPC namespace. This allows container processes to communicate with processes on the host which reduces isolation and bypasses container protection models. Remove the \u0027hostIPC\u0027 key to disable this functionality."
},
"help": {
"markdown": "Pod is sharing the host IPC namespace. This allows container processes to communicate with processes on the host which reduces isolation and bypasses container protection models. Remove the \u0027hostIPC\u0027 key to disable this functionality.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostipc-pod.hostipc-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n",
"text": "Pod is sharing the host IPC namespace. This allows container processes to communicate with processes on the host which reduces isolation and bypasses container protection models. Remove the \u0027hostIPC\u0027 key to disable this functionality.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.hostipc-pod.hostipc-pod",
"id": "yaml.kubernetes.security.hostipc-pod.hostipc-pod",
"name": "yaml.kubernetes.security.hostipc-pod.hostipc-pod",
"properties": {
"precision": "very-high",
"tags": [
"CWE-693: Protection Mechanism Failure",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.hostipc-pod.hostipc-pod"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the \u0027hostNetwork\u0027 key to disable this functionality."
},
"help": {
"markdown": "Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the \u0027hostNetwork\u0027 key to disable this functionality.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n",
"text": "Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the \u0027hostNetwork\u0027 key to disable this functionality.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod",
"id": "yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod",
"name": "yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod",
"properties": {
"precision": "very-high",
"tags": [
"CWE-406: Insufficient Control of Network Message Volume (Network Amplification)",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the \u0027hostPID\u0027 key to disable this functionality."
},
"help": {
"markdown": "Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the \u0027hostPID\u0027 key to disable this functionality.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n",
"text": "Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the \u0027hostPID\u0027 key to disable this functionality.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod",
"id": "yaml.kubernetes.security.hostpid-pod.hostpid-pod",
"name": "yaml.kubernetes.security.hostpid-pod.hostpid-pod",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.hostpid-pod.hostpid-pod"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. Attaching excessive permissions to a ClusterRole associated with the core namespace allows the V1 API to perform arbitrary actions on arbitrary resources attached to the cluster. Prefer explicit allowlists of verbs/resources when configuring the core API namespace. "
},
"help": {
"markdown": "Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. Attaching excessive permissions to a ClusterRole associated with the core namespace allows the V1 API to perform arbitrary actions on arbitrary resources attached to the cluster. Prefer explicit allowlists of verbs/resources when configuring the core API namespace. \n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions)\n - [https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole)\n - [https://kubernetes.io/docs/concepts/security/rbac-good-practices/#general-good-practice](https://kubernetes.io/docs/concepts/security/rbac-good-practices/#general-good-practice)\n - [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#api-groups](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#api-groups)\n",
"text": "Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. Attaching excessive permissions to a ClusterRole associated with the core namespace allows the V1 API to perform arbitrary actions on arbitrary resources attached to the cluster. Prefer explicit allowlists of verbs/resources when configuring the core API namespace. \n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions",
"id": "yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions",
"name": "yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"HIGH CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the \u0027privileged\u0027 key to disable this capability."
},
"help": {
"markdown": "Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the \u0027privileged\u0027 key to disable this capability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.privileged-container.privileged-container)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)\n",
"text": "Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the \u0027privileged\u0027 key to disable this capability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.privileged-container.privileged-container",
"id": "yaml.kubernetes.security.privileged-container.privileged-container",
"name": "yaml.kubernetes.security.privileged-container.privileged-container",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.privileged-container.privileged-container"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "When running containers in Kubernetes, it\u0027s important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks."
},
"help": {
"markdown": "When running containers in Kubernetes, it\u0027s important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root.run-as-non-root)\n - [https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/](https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user)\n",
"text": "When running containers in Kubernetes, it\u0027s important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root.run-as-non-root",
"id": "yaml.kubernetes.security.run-as-non-root.run-as-non-root",
"name": "yaml.kubernetes.security.run-as-non-root.run-as-non-root",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.run-as-non-root.run-as-non-root"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Container is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove \u0027seccompProfile: unconfined\u0027 to prevent this."
},
"help": {
"markdown": "Container is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove \u0027seccompProfile: unconfined\u0027 to prevent this.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n",
"text": "Container is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove \u0027seccompProfile: unconfined\u0027 to prevent this.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled",
"id": "yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled",
"name": "yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-284: Improper Access Control",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the \u0027insecure-skip-tls-verify: true\u0027 key to secure communication."
},
"help": {
"markdown": "Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the \u0027insecure-skip-tls-verify: true\u0027 key to secure communication.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster)\n - [https://kubernetes.io/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-Cluster](https://kubernetes.io/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-Cluster)\n",
"text": "Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the \u0027insecure-skip-tls-verify: true\u0027 key to secure communication.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster",
"id": "yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster",
"name": "yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the \u0027insecureSkipTLSVerify: true\u0027 key to secure communication."
},
"help": {
"markdown": "Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the \u0027insecureSkipTLSVerify: true\u0027 key to secure communication.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service)\n - [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io)\n",
"text": "Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the \u0027insecureSkipTLSVerify: true\u0027 key to secure communication.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service",
"id": "yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service",
"name": "yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found \u0027x-openai-isConsequential: false\u0027 in a state-changing HTTP method: $METHOD $PATH. This Action configuration will enable the \u0027Always Allow\u0027 option for state-changing HTTP methods, such as POST, PUT, PATCH, or DELETE. The risk of a user selecting the \u0027Always Allow\u0027 button is that the agent could perform unintended actions on behalf of the user. When working with sensitive functionality, it is always best to include a Human In The Loop (HITL) type of control. Consider the trade-off between security and user friction and then make a risk-based decision about this function."
},
"help": {
"markdown": "Found \u0027x-openai-isConsequential: false\u0027 in a state-changing HTTP method: $METHOD $PATH. This Action configuration will enable the \u0027Always Allow\u0027 option for state-changing HTTP methods, such as POST, PUT, PATCH, or DELETE. The risk of a user selecting the \u0027Always Allow\u0027 button is that the agent could perform unintended actions on behalf of the user. When working with sensitive functionality, it is always best to include a Human In The Loop (HITL) type of control. Consider the trade-off between security and user friction and then make a risk-based decision about this function.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false)\n - [https://platform.openai.com/docs/actions/consequential-flag](https://platform.openai.com/docs/actions/consequential-flag)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n - [https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-2023-v1_1.pdf](https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-2023-v1_1.pdf)\n",
"text": "Found \u0027x-openai-isConsequential: false\u0027 in a state-changing HTTP method: $METHOD $PATH. This Action configuration will enable the \u0027Always Allow\u0027 option for state-changing HTTP methods, such as POST, PUT, PATCH, or DELETE. The risk of a user selecting the \u0027Always Allow\u0027 button is that the agent could perform unintended actions on behalf of the user. When working with sensitive functionality, it is always best to include a Human In The Loop (HITL) type of control. Consider the trade-off between security and user friction and then make a risk-based decision about this function.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false",
"id": "yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false",
"name": "yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false",
"properties": {
"precision": "very-high",
"tags": [
"CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
"HIGH CONFIDENCE",
"OWASP-A04:2021 Insecure Design",
"OWASP-LLM08:2023 - Excessive Agency",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS."
},
"help": {
"markdown": "Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication)\n - [https://cwe.mitre.org/data/definitions/287.html](https://cwe.mitre.org/data/definitions/287.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n",
"text": "Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication",
"id": "yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication",
"name": "yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"HIGH CONFIDENCE",
"OWASP-A04:2021 Insecure Design",
"OWASP-A07:2021 Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication"
}
}
],
"semanticVersion": "1.143.1"
}
}
}
],
"version": "2.1.0"
},
"status": "success",
"tool": "semgrep",
"total_issues": 2
},
"vulture": {
"config_used": {},
"executed": true,
"results": [],
"status": "no_issues",
"tool": "vulture",
"total_issues": 0
}
},
"structure": {
"status": "success"
}
},
"sarif_export": {
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"runs": [
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"invocations": [
{
"endTimeUtc": "2025-11-16T13:14:49Z",
"executionSuccessful": true
}
],
"properties": {
"metrics": {
"/app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py": {
"CONFIDENCE.HIGH": 1,
"CONFIDENCE.LOW": 0,
"CONFIDENCE.MEDIUM": 1,
"CONFIDENCE.UNDEFINED": 0,
"SEVERITY.HIGH": 0,
"SEVERITY.LOW": 1,
"SEVERITY.MEDIUM": 1,
"SEVERITY.UNDEFINED": 0,
"loc": 109,
"nosec": 0,
"skipped_tests": 0
},
"_totals": {
"CONFIDENCE.HIGH": 1,
"CONFIDENCE.LOW": 0,
"CONFIDENCE.MEDIUM": 1,
"CONFIDENCE.UNDEFINED": 0,
"SEVERITY.HIGH": 0,
"SEVERITY.LOW": 1,
"SEVERITY.MEDIUM": 1,
"SEVERITY.UNDEFINED": 0,
"loc": 109,
"nosec": 0,
"skipped_tests": 0
}
}
},
"results": [
{
"level": "note",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"contextRegion": {
"endLine": 53,
"snippet": {
"text": " while True:\n code = \u0027\u0027.join(random.choice(characters) for _ in range(length))\n if not Url.query.filter_by(short_code=code).first():\n"
},
"startLine": 51
},
"region": {
"endColumn": 49,
"endLine": 52,
"snippet": {
"text": " code = \u0027\u0027.join(random.choice(characters) for _ in range(length))\n"
},
"startColumn": 24,
"startLine": 52
}
}
}
],
"message": {
"text": "Standard pseudo-random generators are not suitable for security/cryptographic purposes."
},
"properties": {
"issue_confidence": "HIGH",
"issue_severity": "LOW"
},
"ruleId": "B311",
"ruleIndex": 0
},
{
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"contextRegion": {
"endLine": 144,
"snippet": {
"text": " logger.info(f\"Starting Flask app on port {port}\")\n app.run(host=\u00270.0.0.0\u0027, port=port)\n"
},
"startLine": 143
},
"region": {
"endColumn": 27,
"endLine": 144,
"snippet": {
"text": " app.run(host=\u00270.0.0.0\u0027, port=port)\n"
},
"startColumn": 18,
"startLine": 144
}
}
}
],
"message": {
"text": "Possible binding to all interfaces."
},
"properties": {
"issue_confidence": "MEDIUM",
"issue_severity": "MEDIUM"
},
"ruleId": "B104",
"ruleIndex": 1
}
],
"tool": {
"driver": {
"name": "Bandit",
"organization": "PyCQA",
"rules": [
{
"helpUri": "https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_calls.html#b311-random",
"id": "B311",
"name": "blacklist",
"properties": {
"precision": "high",
"tags": [
"security",
"external/cwe/cwe-330"
]
}
},
{
"helpUri": "https://bandit.readthedocs.io/en/1.8.6/plugins/b104_hardcoded_bind_all_interfaces.html",
"id": "B104",
"name": "hardcoded_bind_all_interfaces",
"properties": {
"precision": "medium",
"tags": [
"security",
"external/cwe/cwe-605"
]
}
}
],
"semanticVersion": "1.8.6",
"version": "1.8.6"
}
}
}
],
"version": "2.1.0"
},
{
"invocations": [
{
"endTimeUtc": "2025-11-16T13:14:54.769518+00:00",
"executionSuccessful": true
}
],
"results": [
{
"level": "note",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startLine": 88
}
}
}
],
"message": {
"text": "Line too long (112/100)"
},
"properties": {
"severity": "convention"
},
"ruleId": "C0301"
},
{
"level": "note",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startLine": 111
}
}
}
],
"message": {
"text": "Line too long (119/100)"
},
"properties": {
"severity": "convention"
},
"ruleId": "C0301"
},
{
"level": "note",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startLine": 144
}
}
}
],
"message": {
"text": "Final newline missing"
},
"properties": {
"severity": "convention"
},
"ruleId": "C0304"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 14,
"startLine": 39
}
}
}
],
"message": {
"text": "setup_app: Redefining name \u0027app\u0027 from outer scope (line 14)"
},
"properties": {
"severity": "warning"
},
"ruleId": "W0621"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 8,
"startLine": 81
}
}
}
],
"message": {
"text": "shorten_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 11,
"startLine": 98
}
}
}
],
"message": {
"text": "shorten_url: Catching too general exception Exception"
},
"properties": {
"severity": "warning"
},
"ruleId": "W0718"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 12,
"startLine": 88
}
}
}
],
"message": {
"text": "shorten_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 8,
"startLine": 95
}
}
}
],
"message": {
"text": "shorten_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 8,
"startLine": 100
}
}
}
],
"message": {
"text": "shorten_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 11,
"startLine": 116
}
}
}
],
"message": {
"text": "redirect_to_url: Catching too general exception Exception"
},
"properties": {
"severity": "warning"
},
"ruleId": "W0718"
},
{
"level": "note",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 8,
"startLine": 108
}
}
}
],
"message": {
"text": "redirect_to_url: Unnecessary \"else\" after \"return\", remove the \"else\" and de-indent the code inside it"
},
"properties": {
"severity": "refactor"
},
"ruleId": "R1705"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 12,
"startLine": 111
}
}
}
],
"message": {
"text": "redirect_to_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 12,
"startLine": 114
}
}
}
],
"message": {
"text": "redirect_to_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 8,
"startLine": 118
}
}
}
],
"message": {
"text": "redirect_to_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 4,
"startLine": 126
}
}
}
],
"message": {
"text": "not_found_error: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 20,
"startLine": 124
}
}
}
],
"message": {
"text": "not_found_error: Unused argument \u0027error\u0027"
},
"properties": {
"severity": "warning"
},
"ruleId": "W0613"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 4,
"startLine": 132
}
}
}
],
"message": {
"text": "internal_server_error: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 4,
"startLine": 143
}
}
}
],
"message": {
"text": "Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
}
],
"tool": {
"driver": {
"informationUri": "https://github.com/PyCQA/pylint",
"name": "pylint",
"version": "unknown"
}
}
},
{
"$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json",
"runs": [
{
"invocations": [
{
"executionSuccessful": true,
"toolExecutionNotifications": [
{
"descriptor": {
"id": "Syntax error"
},
"level": "warning",
"message": {
"text": "Syntax error at line /app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/Dockerfile:9:\n `apt-get update \u0026\u0026 apt-get install -y \\\r\n gcc \\\r\n curl \\\r\n libxml2-dev \\\r\n libxslt-dev \\\r\n python3-dev \\\r\n \u0026\u0026 rm -rf /var/lib/apt/lists/* \u0026\u0026 break || \\\r\n (echo \"Retry $i: Failed to install system dependencies\" \u0026\u0026 sleep 2); \\\r\n done\r\n\r\n# Upgrade pip and install build tools with fallback\r\nRUN pip install --no-cache-dir --upgrade pip setuptools wheel || \\\r\n (echo \"WARNING: Failed to upgrade pip/setuptools, continuing with defaults\" \u0026\u0026 true)\r\n\r\n# Copy requirements first for better caching\r\nCOPY requirements.txt .\r\n\r\n# Install Python dependencies with multiple fallback strategies\r\nRUN echo \"=== Installing Python dependencies ===\" \u0026\u0026 \\\r\n (pip install --no-cache-dir -r requirements.txt \u0026\u0026 echo \"\u2713 Dependencies installed successfully\") || \\\r\n (echo \"\u26a0 First attempt failed, trying with --use-deprecated=legacy-resolver\" \u0026\u0026 \\\r\n pip install --no-cache-dir --use-deprecated=legacy-resolver -r requirements.txt) || \\\r\n (echo \"\u26a0 Second attempt failed, trying packages individually\" \u0026\u0026 \\\r\n cat requirements.txt | grep -v \u0027^#\u0027 | grep -v \u0027^$\u0027 | while read pkg; do \\\r\n echo \"Installing $pkg...\" \u0026\u0026 \\\r\n pip install --no-cache-dir \"$pkg\" || echo \"WARNING: Failed to install $pkg\"; \\\r\n done) || \\\r\n (echo \"ERROR: Failed to install dependencies. Image may be incomplete.\" \u0026\u0026 exit 1)\r\n\r\n# Verify critical Flask dependencies are installed\r\nRUN python -c \"import flask; print(f\u0027\u2713 Flask {flask.__version__} installed\u0027)\" || \\\r\n (echo \"ERROR: Flask not installed. Installing Flask as fallback...\" \u0026\u0026 \\\r\n pip install --no-cache-dir Flask\u003e=3.0.0 \u0026\u0026 \\\r\n python -c \"import flask; print(f\u0027\u2713 Flask {flask.__version__} installed (fallback)\u0027)\")\r\n\r\n# Copy application code\r\nCOPY . .\r\n\r\n# Create data directory for SQLite databases with proper permissions\r\nRUN mkdir -p /app/data \u0026\u0026 chmod 777 /app/data\r\n\r\n# Validate app.py exists and has no syntax errors with detailed feedback\r\nRUN if [ ! -f app.py ]; then \\\r\n echo \"ERROR: app.py not found in /app di... (truncated 2052 more characters)"
}
},
{
"descriptor": {
"id": "Syntax error"
},
"level": "warning",
"message": {
"text": "Syntax error at line /app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/frontend/Dockerfile:11:\n `apk add --no-cache python3 make g++ \u0026\u0026 break || \\\r\n (echo \"Retry $i: Failed to install build tools\" \u0026\u0026 sleep 2); \\\r\n done || true\r\n\r\n# Copy package files\r\nCOPY package.json ./\r\n\r\n# Upgrade npm with fallback\r\nRUN npm install -g npm@latest || \\\r\n (echo \"WARNING: Could not upgrade npm, using existing version $(npm -v)\" \u0026\u0026 true)\r\n\r\n# Install dependencies with multiple fallback strategies\r\nRUN echo \"=== Installing Node dependencies ===\" \u0026\u0026 \\\r\n echo \"Node version: $(node -v)\" \u0026\u0026 \\\r\n echo \"NPM version: $(npm -v)\" \u0026\u0026 \\\r\n (npm ci 2\u003e/dev/null \u0026\u0026 echo \"\u2713 npm ci succeeded\") || \\\r\n (echo \"\u26a0 npm ci failed (no package-lock.json), trying npm install...\" \u0026\u0026 \\\r\n npm install \u0026\u0026 echo \"\u2713 npm install succeeded\") || \\\r\n (echo \"\u26a0 npm install failed, trying with legacy peer deps...\" \u0026\u0026 \\\r\n npm install --legacy-peer-deps \u0026\u0026 echo \"\u2713 Install with legacy-peer-deps succeeded\") || \\\r\n (echo \"\u26a0 Trying to install packages individually...\" \u0026\u0026 \\\r\n npm install react react-dom axios \u0026\u0026 \\\r\n npm install -D vite @vitejs/plugin-react \u0026\u0026 \\\r\n echo \"\u2713 Individual package install completed\") || \\\r\n (echo \"ERROR: All installation strategies failed\" \u0026\u0026 exit 1)\r\n\r\n# Verify critical dependencies\r\nRUN node -e \"require(\u0027react\u0027); console.log(\u0027\u2713 React installed\u0027);\" || \\\r\n (echo \"WARNING: React verification failed\" \u0026\u0026 true)\r\nRUN node -e \"require(\u0027vite\u0027); console.log(\u0027\u2713 Vite installed\u0027);\" || \\\r\n (echo \"WARNING: Vite verification failed\" \u0026\u0026 true)\r\n\r\n# Copy source code\r\nCOPY . .\r\n\r\n# Verify required files exist\r\nRUN if [ ! -f index.html ]; then \\\r\n echo \"ERROR: index.html not found\" \u0026\u0026 exit 1; \\\r\n fi \u0026\u0026 \\\r\n if [ ! -f vite.config.js ]; then \\\r\n echo \"WARNING: vite.config.js not found, creating minimal config\" \u0026\u0026 \\\r\n echo \u0027import { defineConfig } from \"vite\"; export default defineConfig({});\u0027 \u003e vite.config.js; \\\r\n fi \u0026\u0026 \\\r\n if [ ! -d src ]; then \\\r\n echo \"ERROR: src directory not found\" \u0026\u0026 exit 1; \\\r\n fi\r\n\r\n# Build the application with fallbacks\r\nRUN e... (truncated 3823 more characters)"
}
}
]
}
],
"results": [
{
"fingerprints": {
"matchBasedId/v1": "requires login"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "/app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 39,
"endLine": 144,
"snippet": {
"text": " app.run(host=\u00270.0.0.0\u0027, port=port)"
},
"startColumn": 5,
"startLine": 144
}
}
}
],
"message": {
"text": "Running flask app with host 0.0.0.0 could expose the server publicly."
},
"properties": {},
"ruleId": "python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host"
},
{
"fingerprints": {
"matchBasedId/v1": "requires login"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "/app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/frontend/nginx.conf",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 47,
"endLine": 24,
"snippet": {
"text": " proxy_http_version 1.1;\n proxy_set_header Upgrade $http_upgrade;\n proxy_set_header Connection \u0027upgrade\u0027;"
},
"startColumn": 9,
"startLine": 22
}
}
}
],
"message": {
"text": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers."
},
"properties": {},
"ruleId": "generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling"
}
],
"tool": {
"driver": {
"name": "Semgrep OSS",
"rules": [
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity."
},
"help": {
"markdown": "Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval",
"id": "bash.curl.security.curl-eval.curl-eval",
"name": "bash.curl.security.curl-eval.curl-eval",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: bash.curl.security.curl-eval.curl-eval"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity."
},
"help": {
"markdown": "Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/bash.curl.security.curl-pipe-bash.curl-pipe-bash)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/bash.curl.security.curl-pipe-bash.curl-pipe-bash",
"id": "bash.curl.security.curl-pipe-bash.curl-pipe-bash",
"name": "bash.curl.security.curl-pipe-bash.curl-pipe-bash",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: bash.curl.security.curl-pipe-bash.curl-pipe-bash"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The special variable IFS affects how splitting takes place when expanding unquoted variables. Don\u0027t set it globally. Prefer a dedicated utility such as \u0027cut\u0027 or \u0027awk\u0027 if you need to split input data. If you must use \u0027read\u0027, set IFS locally using e.g. \u0027IFS=\",\" read -a my_array\u0027."
},
"help": {
"markdown": "The special variable IFS affects how splitting takes place when expanding unquoted variables. Don\u0027t set it globally. Prefer a dedicated utility such as \u0027cut\u0027 or \u0027awk\u0027 if you need to split input data. If you must use \u0027read\u0027, set IFS locally using e.g. \u0027IFS=\",\" read -a my_array\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/bash.lang.security.ifs-tampering.ifs-tampering)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "The special variable IFS affects how splitting takes place when expanding unquoted variables. Don\u0027t set it globally. Prefer a dedicated utility such as \u0027cut\u0027 or \u0027awk\u0027 if you need to split input data. If you must use \u0027read\u0027, set IFS locally using e.g. \u0027IFS=\",\" read -a my_array\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/bash.lang.security.ifs-tampering.ifs-tampering",
"id": "bash.lang.security.ifs-tampering.ifs-tampering",
"name": "bash.lang.security.ifs-tampering.ifs-tampering",
"properties": {
"precision": "very-high",
"tags": [
"CWE-20: Improper Input Validation",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: bash.lang.security.ifs-tampering.ifs-tampering"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Avoid \u0027gets()\u0027. This function does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 or \u0027gets_s()\u0027 instead."
},
"help": {
"markdown": "Avoid \u0027gets()\u0027. This function does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 or \u0027gets_s()\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn)\n - [https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s](https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s)\n",
"text": "Avoid \u0027gets()\u0027. This function does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 or \u0027gets_s()\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn",
"id": "c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn",
"name": "c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn",
"properties": {
"precision": "very-high",
"tags": [
"CWE-676: Use of Potentially Dangerous Function",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid using \u0027scanf()\u0027. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 instead for reading input."
},
"help": {
"markdown": "Avoid using \u0027scanf()\u0027. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 instead for reading input.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn)\n - [http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html](http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html)\n",
"text": "Avoid using \u0027scanf()\u0027. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 instead for reading input.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn",
"id": "c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn",
"name": "c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn",
"properties": {
"precision": "very-high",
"tags": [
"CWE-676: Use of Potentially Dangerous Function",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid using \u0027strtok()\u0027. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use \u0027strtok_r()\u0027 instead."
},
"help": {
"markdown": "Avoid using \u0027strtok()\u0027. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use \u0027strtok_r()\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR06-C.+Do+not+assume+that+strtok%28%29+leaves+the+parse+string+unchanged](https://wiki.sei.cmu.edu/confluence/display/c/STR06-C.+Do+not+assume+that+strtok%28%29+leaves+the+parse+string+unchanged)\n - [https://man7.org/linux/man-pages/man3/strtok.3.html#BUGS](https://man7.org/linux/man-pages/man3/strtok.3.html#BUGS)\n - [https://stackoverflow.com/a/40335556](https://stackoverflow.com/a/40335556)\n",
"text": "Avoid using \u0027strtok()\u0027. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use \u0027strtok_r()\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn",
"id": "c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn",
"name": "c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn",
"properties": {
"precision": "very-high",
"tags": [
"CWE-676: Use of Potentially Dangerous Function",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Call to \u0027read()\u0027 without error checking is susceptible to file descriptor exhaustion. Consider using the \u0027getrandom()\u0027 function."
},
"help": {
"markdown": "Call to \u0027read()\u0027 without error checking is susceptible to file descriptor exhaustion. Consider using the \u0027getrandom()\u0027 function.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.random-fd-exhaustion.random-fd-exhaustion)\n - [https://lwn.net/Articles/606141/](https://lwn.net/Articles/606141/)\n",
"text": "Call to \u0027read()\u0027 without error checking is susceptible to file descriptor exhaustion. Consider using the \u0027getrandom()\u0027 function.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/c.lang.security.random-fd-exhaustion.random-fd-exhaustion",
"id": "c.lang.security.random-fd-exhaustion.random-fd-exhaustion",
"name": "c.lang.security.random-fd-exhaustion.random-fd-exhaustion",
"properties": {
"precision": "very-high",
"tags": [
"CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: c.lang.security.random-fd-exhaustion.random-fd-exhaustion"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."
},
"help": {
"markdown": "DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n",
"text": "DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe",
"id": "clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe",
"name": "clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms."
},
"help": {
"markdown": "MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n",
"text": "MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5",
"id": "clojure.lang.security.use-of-md5.use-of-md5",
"name": "clojure.lang.security.use-of-md5.use-of-md5",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: clojure.lang.security.use-of-md5.use-of-md5"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."
},
"help": {
"markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n",
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1",
"id": "clojure.lang.security.use-of-sha1.use-of-sha1",
"name": "clojure.lang.security.use-of-sha1.use-of-sha1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"CWE-328: Use of Weak Hash",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: clojure.lang.security.use-of-sha1.use-of-sha1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application."
},
"help": {
"markdown": "Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment)\n - [https://cwe.mitre.org/data/definitions/915.html](https://cwe.mitre.org/data/definitions/915.html)\n - [https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md)\n",
"text": "Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment",
"id": "csharp.dotnet.security.audit.mass-assignment.mass-assignment",
"name": "csharp.dotnet.security.audit.mass-assignment.mass-assignment",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"MEDIUM CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.dotnet.security.audit.mass-assignment.mass-assignment"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls."
},
"help": {
"markdown": "$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery)\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests)\n",
"text": "$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery",
"id": "csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery",
"name": "csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from `\u003ccompilation ... /\u003e`"
},
"help": {
"markdown": "ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from `\u003ccompilation ... /\u003e`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug)\n - [https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/](https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/)\n - [https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx](https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx)\n",
"text": "ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from `\u003ccompilation ... /\u003e`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug",
"id": "csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug",
"name": "csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug",
"properties": {
"precision": "very-high",
"tags": [
"CWE-11: ASP.NET Misconfiguration: Creating Debug Binary",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information."
},
"help": {
"markdown": "OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled)\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance)\n - [https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx](https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx)\n",
"text": "OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled",
"id": "csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled",
"name": "csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1323: Improper Management of Sensitive Trace Data",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process."
},
"help": {
"markdown": "User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection)\n - [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)\n",
"text": "User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection",
"id": "csharp.dotnet.security.razor-template-injection.razor-template-injection",
"name": "csharp.dotnet.security.razor-template-injection.razor-template-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.dotnet.security.razor-template-injection.razor-template-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305."
},
"help": {
"markdown": "Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_ecb_mode.use_ecb_mode)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes)\n",
"text": "Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.dotnet.security.use_ecb_mode.use_ecb_mode",
"id": "csharp.dotnet.security.use_ecb_mode.use_ecb_mode",
"name": "csharp.dotnet.security.use_ecb_mode.use_ecb_mode",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.dotnet.security.use_ecb_mode.use_ecb_mode"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead."
},
"help": {
"markdown": "You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks](https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key)\n",
"text": "You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration",
"id": "csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration",
"name": "csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration",
"properties": {
"precision": "very-high",
"tags": [
"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections."
},
"help": {
"markdown": "Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings)\n - [https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies](https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN\u0026view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN\u0026view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN\u0026view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN\u0026view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL)\n",
"text": "Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings",
"id": "csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings",
"name": "csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings",
"properties": {
"precision": "very-high",
"tags": [
"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used."
},
"help": {
"markdown": "The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n - [https://cwe.mitre.org/data/definitions/613.html](https://cwe.mitre.org/data/definitions/613.html)\n - [https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet](https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet)\n",
"text": "The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation",
"id": "csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation",
"name": "csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-613: Insufficient Session Expiration",
"HIGH CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead."
},
"help": {
"markdown": "Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8)\n",
"text": "Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation",
"id": "csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation",
"name": "csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal."
},
"help": {
"markdown": "String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine)\n - [https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/](https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks)\n",
"text": "String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine",
"id": "csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine",
"name": "csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\"."
},
"help": {
"markdown": "The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\".\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0)\n",
"text": "The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\".\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings",
"id": "csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings",
"name": "csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings",
"properties": {
"precision": "very-high",
"tags": [
"CWE-706: Use of Incorrectly-Resolved Name or Reference",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component."
},
"help": {
"markdown": "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.injections.os-command.os-command-injection)\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\n",
"text": "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.injections.os-command.os-command-injection",
"id": "csharp.lang.security.injections.os-command.os-command-injection",
"name": "csharp.lang.security.injections.os-command.os-command-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.injections.os-command.os-command-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. BinaryFormatter is insecure and can\u0027t be made secure"
},
"help": {
"markdown": "The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. BinaryFormatter is insecure and can\u0027t be made secure\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide](https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide)\n",
"text": "The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. BinaryFormatter is insecure and can\u0027t be made secure\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization",
"id": "csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization",
"name": "csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"HIGH CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior."
},
"help": {
"markdown": "Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver)\n - [https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide](https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide)\n",
"text": "Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver",
"id": "csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver",
"name": "csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe"
},
"help": {
"markdown": "$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization)\n - [https://github.com/mgholam/fastJSON#security-warning-update](https://github.com/mgholam/fastJSON#security-warning-update)\n",
"text": "$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization",
"id": "csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization",
"name": "csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability."
},
"help": {
"markdown": "The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization)\n - [https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution](https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution)\n",
"text": "The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization",
"id": "csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization",
"name": "csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf"
},
"help": {
"markdown": "Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0)\n - [https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html](https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html)\n",
"text": "Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full",
"id": "csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full",
"name": "csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server."
},
"help": {
"markdown": "The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks)\n",
"text": "The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization",
"id": "csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization",
"name": "csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. LosFormatter is insecure and can\u0027t be made secure"
},
"help": {
"markdown": "The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. LosFormatter is insecure and can\u0027t be made secure\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8)\n",
"text": "The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. LosFormatter is insecure and can\u0027t be made secure\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization",
"id": "csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization",
"name": "csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. NetDataContractSerializer is insecure and can\u0027t be made secure"
},
"help": {
"markdown": "The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. NetDataContractSerializer is insecure and can\u0027t be made secure\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security)\n",
"text": "The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. NetDataContractSerializer is insecure and can\u0027t be made secure\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization",
"id": "csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization",
"name": "csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None."
},
"help": {
"markdown": "TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization)\n - [https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm#remarks](https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm#remarks)\n",
"text": "TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization",
"id": "csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization",
"name": "csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. SoapFormatter is insecure and can\u0027t be made secure"
},
"help": {
"markdown": "The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. SoapFormatter is insecure and can\u0027t be made secure\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks)\n",
"text": "The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. SoapFormatter is insecure and can\u0027t be made secure\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization",
"id": "csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization",
"name": "csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked."
},
"help": {
"markdown": "MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0)\n",
"text": "MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span",
"id": "csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span",
"name": "csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span",
"properties": {
"precision": "very-high",
"tags": [
"CWE-125: Out-of-bounds Read",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0"
},
"help": {
"markdown": "Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0)\n",
"text": "Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout",
"id": "csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout",
"name": "csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1333: Inefficient Regular Expression Complexity",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack"
},
"help": {
"markdown": "When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples](https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples)\n",
"text": "When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos",
"id": "csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos",
"name": "csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1333: Inefficient Regular Expression Complexity",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using \u0027SqlCommand\u0027 and \u0027SqlParameter\u0027."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using \u0027SqlCommand\u0027 and \u0027SqlParameter\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using \u0027SqlCommand\u0027 and \u0027SqlParameter\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli",
"id": "csharp.lang.security.sqli.csharp-sqli.csharp-sqli",
"name": "csharp.lang.security.sqli.csharp-sqli.csharp-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.sqli.csharp-sqli.csharp-sqli"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself."
},
"help": {
"markdown": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.http-client.ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.ssrf.http-client.ssrf",
"id": "csharp.lang.security.ssrf.http-client.ssrf",
"name": "csharp.lang.security.ssrf.http-client.ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.ssrf.http-client.ssrf"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself."
},
"help": {
"markdown": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.rest-client.ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.ssrf.rest-client.ssrf",
"id": "csharp.lang.security.ssrf.rest-client.ssrf",
"name": "csharp.lang.security.ssrf.rest-client.ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.ssrf.rest-client.ssrf"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself."
},
"help": {
"markdown": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.web-client.ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.ssrf.web-client.ssrf",
"id": "csharp.lang.security.ssrf.web-client.ssrf",
"name": "csharp.lang.security.ssrf.web-client.ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.ssrf.web-client.ssrf"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name)."
},
"help": {
"markdown": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf",
"id": "csharp.lang.security.ssrf.web-request.ssrf",
"name": "csharp.lang.security.ssrf.web-request.ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.ssrf.web-request.ssrf"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering."
},
"help": {
"markdown": "Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure)\n - [https://cwe.mitre.org/data/definitions/209.html](https://cwe.mitre.org/data/definitions/209.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n",
"text": "Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure",
"id": "csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure",
"name": "csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-209: Generation of Error Message Containing Sensitive Information",
"HIGH CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data."
},
"help": {
"markdown": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n",
"text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override",
"id": "csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override",
"name": "csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"MEDIUM CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data."
},
"help": {
"markdown": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n",
"text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override",
"id": "csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override",
"name": "csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"MEDIUM CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data."
},
"help": {
"markdown": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n",
"text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults",
"id": "csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults",
"name": "csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"MEDIUM CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `\u003c/script\u003e` is not properly encoded."
},
"help": {
"markdown": "Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `\u003c/script\u003e` is not properly encoded.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `\u003c/script\u003e` is not properly encoded.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json",
"id": "csharp.razor.security.html-raw-json.html-raw-json",
"name": "csharp.razor.security.html-raw-json.html-raw-json",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.razor.security.html-raw-json.html-raw-json"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "When `--extra-index-url` is used in a `pip install` command, this is usually meant to install a package from a package index other than the public one. However, if a package is added with the same name to the public PyPi repository, and if the version number is high enough, this package will be installed when building this docker image. This package may be a malicious dependency. Such an attack is called a dependency confusion attack. If using a private package index, prefer to use `--index-url` if possible. "
},
"help": {
"markdown": "When `--extra-index-url` is used in a `pip install` command, this is usually meant to install a package from a package index other than the public one. However, if a package is added with the same name to the public PyPi repository, and if the version number is high enough, this package will be installed when building this docker image. This package may be a malicious dependency. Such an attack is called a dependency confusion attack. If using a private package index, prefer to use `--index-url` if possible. \n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url)\n - [https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-extra-index-url](https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-extra-index-url)\n - [https://github.com/semgrep/semgrep-rules/issues/3032](https://github.com/semgrep/semgrep-rules/issues/3032)\n",
"text": "When `--extra-index-url` is used in a `pip install` command, this is usually meant to install a package from a package index other than the public one. However, if a package is added with the same name to the public PyPi repository, and if the version number is high enough, this package will be installed when building this docker image. This package may be a malicious dependency. Such an attack is called a dependency confusion attack. If using a private package index, prefer to use `--index-url` if possible. \n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url",
"id": "dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url",
"name": "dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url",
"properties": {
"precision": "very-high",
"tags": [
"CWE-427: Uncontrolled Search Path Element",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine."
},
"help": {
"markdown": "The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)\n - [https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/](https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/)\n - [https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html](https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html)\n",
"text": "The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount",
"id": "dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount",
"name": "dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"CWE-862: Missing Authorization",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The last user in the container is \u0027root\u0027. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as \u0027root\u0027."
},
"help": {
"markdown": "The last user in the container is \u0027root\u0027. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as \u0027root\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root)\n - [https://github.com/hadolint/hadolint/wiki/DL3002](https://github.com/hadolint/hadolint/wiki/DL3002)\n",
"text": "The last user in the container is \u0027root\u0027. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as \u0027root\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root",
"id": "dockerfile.security.last-user-is-root.last-user-is-root",
"name": "dockerfile.security.last-user-is-root.last-user-is-root",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: dockerfile.security.last-user-is-root.last-user-is-root"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027."
},
"help": {
"markdown": "By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint",
"id": "dockerfile.security.missing-user-entrypoint.missing-user-entrypoint",
"name": "dockerfile.security.missing-user-entrypoint.missing-user-entrypoint",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027."
},
"help": {
"markdown": "By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user.missing-user)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/dockerfile.security.missing-user.missing-user",
"id": "dockerfile.security.missing-user.missing-user",
"name": "dockerfile.security.missing-user.missing-user",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: dockerfile.security.missing-user.missing-user"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities."
},
"help": {
"markdown": "Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile)\n - [https://cwe.mitre.org/data/definitions/250.html](https://cwe.mitre.org/data/definitions/250.html)\n - [https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user)\n",
"text": "Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile",
"id": "dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile",
"name": "dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"HIGH CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Semgrep found a bash reverse shell"
},
"help": {
"markdown": "Semgrep found a bash reverse shell\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Semgrep found a bash reverse shell\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell",
"id": "generic.ci.security.bash-reverse-shell.bash_reverse_shell",
"name": "generic.ci.security.bash-reverse-shell.bash_reverse_shell",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.ci.security.bash-reverse-shell.bash_reverse_shell"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., \u0027/\u0027). To fix, add a path separator to the end of the path."
},
"help": {
"markdown": "The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., \u0027/\u0027). To fix, add a path separator to the end of the path.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/)\n - [https://www.youtube.com/watch?v=CIhHpkybYsY](https://www.youtube.com/watch?v=CIhHpkybYsY)\n - [https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf](https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf)\n",
"text": "The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., \u0027/\u0027). To fix, add a path separator to the end of the path.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal",
"id": "generic.nginx.security.alias-path-traversal.alias-path-traversal",
"name": "generic.nginx.security.alias-path-traversal.alias-path-traversal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.alias-path-traversal.alias-path-traversal"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with \u0027map\u0027 or something similar."
},
"help": {
"markdown": "The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with \u0027map\u0027 or something similar.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host)\n - [https://nginx.org/en/docs/http/ngx_http_map_module.html](https://nginx.org/en/docs/http/ngx_http_map_module.html)\n",
"text": "The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with \u0027map\u0027 or something similar.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host",
"id": "generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host",
"name": "generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host",
"properties": {
"precision": "very-high",
"tags": [
"CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy."
},
"help": {
"markdown": "The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n",
"text": "The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme",
"id": "generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme",
"name": "generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme",
"properties": {
"precision": "very-high",
"tags": [
"CWE-16: CWE CATEGORY: Configuration",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: \u0027[^\\s]+\u0027."
},
"help": {
"markdown": "The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: \u0027[^\\s]+\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md)\n - [https://owasp.org/www-community/attacks/HTTP_Response_Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n",
"text": "The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: \u0027[^\\s]+\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection",
"id": "generic.nginx.security.header-injection.header-injection",
"name": "generic.nginx.security.header-injection.header-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.header-injection.header-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The \u0027add_header\u0027 directive is called in a \u0027location\u0027 block after headers have been set at the server block. Calling \u0027add_header\u0027 in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block."
},
"help": {
"markdown": "The \u0027add_header\u0027 directive is called in a \u0027location\u0027 block after headers have been set at the server block. Calling \u0027add_header\u0027 in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-redefinition.header-redefinition)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md)\n",
"text": "The \u0027add_header\u0027 directive is called in a \u0027location\u0027 block after headers have been set at the server block. Calling \u0027add_header\u0027 in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.header-redefinition.header-redefinition",
"id": "generic.nginx.security.header-redefinition.header-redefinition",
"name": "generic.nginx.security.header-redefinition.header-redefinition",
"properties": {
"precision": "very-high",
"tags": [
"CWE-16: CWE CATEGORY: Configuration",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.header-redefinition.header-redefinition"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the \u0027https\u0027 scheme."
},
"help": {
"markdown": "Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the \u0027https\u0027 scheme.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the \u0027https\u0027 scheme.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect",
"id": "generic.nginx.security.insecure-redirect.insecure-redirect",
"name": "generic.nginx.security.insecure-redirect.insecure-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.insecure-redirect.insecure-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later."
},
"help": {
"markdown": "Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/](https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/)\n",
"text": "Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version",
"id": "generic.nginx.security.insecure-ssl-version.insecure-ssl-version",
"name": "generic.nginx.security.insecure-ssl-version.insecure-ssl-version",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.insecure-ssl-version.insecure-ssl-version"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This location block contains a \u0027proxy_pass\u0027 directive but does not contain the \u0027internal\u0027 directive. The \u0027internal\u0027 directive restricts access to this location to internal requests. Without \u0027internal\u0027, an attacker could use your server for server-side request forgeries (SSRF). Include the \u0027internal\u0027 directive in this block to limit exposure."
},
"help": {
"markdown": "This location block contains a \u0027proxy_pass\u0027 directive but does not contain the \u0027internal\u0027 directive. The \u0027internal\u0027 directive restricts access to this location to internal requests. Without \u0027internal\u0027, an attacker could use your server for server-side request forgeries (SSRF). Include the \u0027internal\u0027 directive in this block to limit exposure.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n - [https://nginx.org/en/docs/http/ngx_http_core_module.html#internal](https://nginx.org/en/docs/http/ngx_http_core_module.html#internal)\n",
"text": "This location block contains a \u0027proxy_pass\u0027 directive but does not contain the \u0027internal\u0027 directive. The \u0027internal\u0027 directive restricts access to this location to internal requests. Without \u0027internal\u0027, an attacker could use your server for server-side request forgeries (SSRF). Include the \u0027internal\u0027 directive in this block to limit exposure.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal",
"id": "generic.nginx.security.missing-internal.missing-internal",
"name": "generic.nginx.security.missing-internal.missing-internal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-16: CWE CATEGORY: Configuration",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.missing-internal.missing-internal"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This server configuration is missing the \u0027ssl_protocols\u0027 directive. By default, this server will use \u0027ssl_protocols TLSv1 TLSv1.1 TLSv1.2\u0027, and versions older than TLSv1.2 are known to be broken. Explicitly specify \u0027ssl_protocols TLSv1.2 TLSv1.3\u0027 to use secure TLS versions."
},
"help": {
"markdown": "This server configuration is missing the \u0027ssl_protocols\u0027 directive. By default, this server will use \u0027ssl_protocols TLSv1 TLSv1.1 TLSv1.2\u0027, and versions older than TLSv1.2 are known to be broken. Explicitly specify \u0027ssl_protocols TLSv1.2 TLSv1.3\u0027 to use secure TLS versions.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-ssl-version.missing-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://nginx.org/en/docs/http/configuring_https_servers.html](https://nginx.org/en/docs/http/configuring_https_servers.html)\n",
"text": "This server configuration is missing the \u0027ssl_protocols\u0027 directive. By default, this server will use \u0027ssl_protocols TLSv1 TLSv1.1 TLSv1.2\u0027, and versions older than TLSv1.2 are known to be broken. Explicitly specify \u0027ssl_protocols TLSv1.2 TLSv1.3\u0027 to use secure TLS versions.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.missing-ssl-version.missing-ssl-version",
"id": "generic.nginx.security.missing-ssl-version.missing-ssl-version",
"name": "generic.nginx.security.missing-ssl-version.missing-ssl-version",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.missing-ssl-version.missing-ssl-version"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers."
},
"help": {
"markdown": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling)\n - [https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c](https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c)\n",
"text": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling",
"id": "generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling",
"name": "generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling",
"properties": {
"precision": "very-high",
"tags": [
"CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Amazon MWS Auth Token detected"
},
"help": {
"markdown": "Amazon MWS Auth Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Amazon MWS Auth Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token",
"id": "generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token",
"name": "generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Artifactory token detected"
},
"help": {
"markdown": "Artifactory token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-artifactory-password.detected-artifactory-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Artifactory token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-artifactory-password.detected-artifactory-password",
"id": "generic.secrets.security.detected-artifactory-password.detected-artifactory-password",
"name": "generic.secrets.security.detected-artifactory-password.detected-artifactory-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-artifactory-password.detected-artifactory-password"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Artifactory token detected"
},
"help": {
"markdown": "Artifactory token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-artifactory-token.detected-artifactory-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Artifactory token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-artifactory-token.detected-artifactory-token",
"id": "generic.secrets.security.detected-artifactory-token.detected-artifactory-token",
"name": "generic.secrets.security.detected-artifactory-token.detected-artifactory-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-artifactory-token.detected-artifactory-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file."
},
"help": {
"markdown": "AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value",
"id": "generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value",
"name": "generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "AWS Account ID detected. While not considered sensitive information, it is important to use them and share them carefully. For that reason it would be preferrable avoiding to hardcoded it here. Instead, read the value from an environment variable or keep the value in a separate, private file."
},
"help": {
"markdown": "AWS Account ID detected. While not considered sensitive information, it is important to use them and share them carefully. For that reason it would be preferrable avoiding to hardcoded it here. Instead, read the value from an environment variable or keep the value in a separate, private file.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-account-id.detected-aws-account-id)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "AWS Account ID detected. While not considered sensitive information, it is important to use them and share them carefully. For that reason it would be preferrable avoiding to hardcoded it here. Instead, read the value from an environment variable or keep the value in a separate, private file.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-aws-account-id.detected-aws-account-id",
"id": "generic.secrets.security.detected-aws-account-id.detected-aws-account-id",
"name": "generic.secrets.security.detected-aws-account-id.detected-aws-account-id",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-aws-account-id.detected-aws-account-id"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "AWS AppSync GraphQL Key detected"
},
"help": {
"markdown": "AWS AppSync GraphQL Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "AWS AppSync GraphQL Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key",
"id": "generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key",
"name": "generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "AWS Secret Access Key detected"
},
"help": {
"markdown": "AWS Secret Access Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "AWS Secret Access Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key",
"id": "generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key",
"name": "generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "AWS Session Token detected"
},
"help": {
"markdown": "AWS Session Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "AWS Session Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token",
"id": "generic.secrets.security.detected-aws-session-token.detected-aws-session-token",
"name": "generic.secrets.security.detected-aws-session-token.detected-aws-session-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-aws-session-token.detected-aws-session-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "bcrypt hash detected"
},
"help": {
"markdown": "bcrypt hash detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "bcrypt hash detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash",
"id": "generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash",
"name": "generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "CodeClimate detected"
},
"help": {
"markdown": "CodeClimate detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "CodeClimate detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate",
"id": "generic.secrets.security.detected-codeclimate.detected-codeclimate",
"name": "generic.secrets.security.detected-codeclimate.detected-codeclimate",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-codeclimate.detected-codeclimate"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "linux shadow file detected"
},
"help": {
"markdown": "linux shadow file detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "linux shadow file detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow",
"id": "generic.secrets.security.detected-etc-shadow.detected-etc-shadow",
"name": "generic.secrets.security.detected-etc-shadow.detected-etc-shadow",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-etc-shadow.detected-etc-shadow"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Facebook Access Token detected"
},
"help": {
"markdown": "Facebook Access Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Facebook Access Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token",
"id": "generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token",
"name": "generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Facebook OAuth detected"
},
"help": {
"markdown": "Facebook OAuth detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Facebook OAuth detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth",
"id": "generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth",
"name": "generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Generic API Key detected"
},
"help": {
"markdown": "Generic API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-api-key.detected-generic-api-key)\n - [https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json](https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json)\n",
"text": "Generic API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-generic-api-key.detected-generic-api-key",
"id": "generic.secrets.security.detected-generic-api-key.detected-generic-api-key",
"name": "generic.secrets.security.detected-generic-api-key.detected-generic-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-generic-api-key.detected-generic-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Generic Secret detected"
},
"help": {
"markdown": "Generic Secret detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Generic Secret detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret",
"id": "generic.secrets.security.detected-generic-secret.detected-generic-secret",
"name": "generic.secrets.security.detected-generic-secret.detected-generic-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-generic-secret.detected-generic-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "GitHub Token detected"
},
"help": {
"markdown": "GitHub Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-github-token.detected-github-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "GitHub Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-github-token.detected-github-token",
"id": "generic.secrets.security.detected-github-token.detected-github-token",
"name": "generic.secrets.security.detected-github-token.detected-github-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-github-token.detected-github-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Google OAuth Access Token detected"
},
"help": {
"markdown": "Google OAuth Access Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Google OAuth Access Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token",
"id": "generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token",
"name": "generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Heroku API Key detected"
},
"help": {
"markdown": "Heroku API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Heroku API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key",
"id": "generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key",
"name": "generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "HockeyApp detected"
},
"help": {
"markdown": "HockeyApp detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-hockeyapp.detected-hockeyapp)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "HockeyApp detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-hockeyapp.detected-hockeyapp",
"id": "generic.secrets.security.detected-hockeyapp.detected-hockeyapp",
"name": "generic.secrets.security.detected-hockeyapp.detected-hockeyapp",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-hockeyapp.detected-hockeyapp"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "JWT token detected"
},
"help": {
"markdown": "JWT token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token)\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n",
"text": "JWT token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token",
"id": "generic.secrets.security.detected-jwt-token.detected-jwt-token",
"name": "generic.secrets.security.detected-jwt-token.detected-jwt-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-321: Use of Hard-coded Cryptographic Key",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-jwt-token.detected-jwt-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Kolide API Key detected"
},
"help": {
"markdown": "Kolide API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Kolide API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key",
"id": "generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key",
"name": "generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "MailChimp API Key detected"
},
"help": {
"markdown": "MailChimp API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "MailChimp API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key",
"id": "generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key",
"name": "generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Mailgun API Key detected"
},
"help": {
"markdown": "Mailgun API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Mailgun API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key",
"id": "generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key",
"name": "generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "NPM registry authentication token detected"
},
"help": {
"markdown": "NPM registry authentication token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "NPM registry authentication token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token",
"id": "generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token",
"name": "generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Onfido live API Token detected"
},
"help": {
"markdown": "Onfido live API Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token)\n - [https://documentation.onfido.com/api/latest/#api-tokens](https://documentation.onfido.com/api/latest/#api-tokens)\n",
"text": "Onfido live API Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token",
"id": "generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token",
"name": "generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Outlook Team detected"
},
"help": {
"markdown": "Outlook Team detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Outlook Team detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team",
"id": "generic.secrets.security.detected-outlook-team.detected-outlook-team",
"name": "generic.secrets.security.detected-outlook-team.detected-outlook-team",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-outlook-team.detected-outlook-team"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "PayPal Braintree Access Token detected"
},
"help": {
"markdown": "PayPal Braintree Access Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "PayPal Braintree Access Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token",
"id": "generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token",
"name": "generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Something that looks like a PGP private key block is detected. This is a potential hardcoded secret that could be leaked if this code is committed. Instead, remove this code block from the commit."
},
"help": {
"markdown": "Something that looks like a PGP private key block is detected. This is a potential hardcoded secret that could be leaked if this code is committed. Instead, remove this code block from the commit.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Something that looks like a PGP private key block is detected. This is a potential hardcoded secret that could be leaked if this code is committed. Instead, remove this code block from the commit.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block",
"id": "generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block",
"name": "generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Picatic API Key detected"
},
"help": {
"markdown": "Picatic API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Picatic API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key",
"id": "generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key",
"name": "generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file."
},
"help": {
"markdown": "Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key",
"id": "generic.secrets.security.detected-private-key.detected-private-key",
"name": "generic.secrets.security.detected-private-key.detected-private-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-private-key.detected-private-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Sauce Token detected"
},
"help": {
"markdown": "Sauce Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sauce-token.detected-sauce-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Sauce Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-sauce-token.detected-sauce-token",
"id": "generic.secrets.security.detected-sauce-token.detected-sauce-token",
"name": "generic.secrets.security.detected-sauce-token.detected-sauce-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-sauce-token.detected-sauce-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "SendGrid API Key detected"
},
"help": {
"markdown": "SendGrid API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "SendGrid API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key",
"id": "generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key",
"name": "generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Slack Token detected"
},
"help": {
"markdown": "Slack Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-slack-token.detected-slack-token)\n - [https://github.com/davidburkitt/python-secret-scanner/blob/335a1f6dab8de59cf39063e57aea39a58951e939/patterns.txt#L58](https://github.com/davidburkitt/python-secret-scanner/blob/335a1f6dab8de59cf39063e57aea39a58951e939/patterns.txt#L58)\n",
"text": "Slack Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-slack-token.detected-slack-token",
"id": "generic.secrets.security.detected-slack-token.detected-slack-token",
"name": "generic.secrets.security.detected-slack-token.detected-slack-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-slack-token.detected-slack-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Slack Webhook detected"
},
"help": {
"markdown": "Slack Webhook detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-slack-webhook.detected-slack-webhook)\n - [https://api.slack.com/messaging/webhooks](https://api.slack.com/messaging/webhooks)\n",
"text": "Slack Webhook detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-slack-webhook.detected-slack-webhook",
"id": "generic.secrets.security.detected-slack-webhook.detected-slack-webhook",
"name": "generic.secrets.security.detected-slack-webhook.detected-slack-webhook",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-slack-webhook.detected-slack-webhook"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Snyk API Key detected"
},
"help": {
"markdown": "Snyk API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Snyk API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key",
"id": "generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key",
"name": "generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "SoftLayer API Key detected"
},
"help": {
"markdown": "SoftLayer API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "SoftLayer API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key",
"id": "generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key",
"name": "generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "SonarQube Docs API Key detected"
},
"help": {
"markdown": "SonarQube Docs API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "SonarQube Docs API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key",
"id": "generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key",
"name": "generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Square Access Token detected"
},
"help": {
"markdown": "Square Access Token detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-square-access-token.detected-square-access-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Square Access Token detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-square-access-token.detected-square-access-token",
"id": "generic.secrets.security.detected-square-access-token.detected-square-access-token",
"name": "generic.secrets.security.detected-square-access-token.detected-square-access-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-square-access-token.detected-square-access-token"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Square OAuth Secret detected"
},
"help": {
"markdown": "Square OAuth Secret detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret)\n - [https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py](https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py)\n",
"text": "Square OAuth Secret detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret",
"id": "generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret",
"name": "generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "SSH Password detected"
},
"help": {
"markdown": "SSH Password detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-ssh-password.detected-ssh-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "SSH Password detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-ssh-password.detected-ssh-password",
"id": "generic.secrets.security.detected-ssh-password.detected-ssh-password",
"name": "generic.secrets.security.detected-ssh-password.detected-ssh-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-ssh-password.detected-ssh-password"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Stripe API Key detected"
},
"help": {
"markdown": "Stripe API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Stripe API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key",
"id": "generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key",
"name": "generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Stripe Restricted API Key detected"
},
"help": {
"markdown": "Stripe Restricted API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Stripe Restricted API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key",
"id": "generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key",
"name": "generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Telegram Bot API Key detected"
},
"help": {
"markdown": "Telegram Bot API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Telegram Bot API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key",
"id": "generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key",
"name": "generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Twilio API Key detected"
},
"help": {
"markdown": "Twilio API Key detected\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Twilio API Key detected\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key",
"id": "generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key",
"name": "generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detects potential Google Maps API keys in code"
},
"help": {
"markdown": "Detects potential Google Maps API keys in code\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak)\n - [https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e](https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e)\n",
"text": "Detects potential Google Maps API keys in code\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak",
"id": "generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak",
"name": "generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak",
"properties": {
"precision": "very-high",
"tags": [
"CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory",
"MEDIUM CONFIDENCE",
"OWASP-A3:2017 Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters."
},
"help": {
"markdown": "This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters)\n - [https://trojansource.codes/](https://trojansource.codes/)\n",
"text": "This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters",
"id": "generic.unicode.security.bidi.contains-bidirectional-characters",
"name": "generic.unicode.security.bidi.contains-bidirectional-characters",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.unicode.security.bidi.contains-bidirectional-characters"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your \u003cscript\u003e and \u003clink\u003e tags pointing to CDN content to ensure the resources have not been compromised. A crossorigin attribute should also be added. For a more thorough explanation along with explicit instructions on remediating, follow the directions from Mozilla here: https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/"
},
"help": {
"markdown": "Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your \u003cscript\u003e and \u003clink\u003e tags pointing to CDN content to ensure the resources have not been compromised. A crossorigin attribute should also be added. For a more thorough explanation along with explicit instructions on remediating, follow the directions from Mozilla here: https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs)\n - [https://cwe.mitre.org/data/definitions/352.html](https://cwe.mitre.org/data/definitions/352.html)\n - [https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/](https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/)\n",
"text": "Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your \u003cscript\u003e and \u003clink\u003e tags pointing to CDN content to ensure the resources have not been compromised. A crossorigin attribute should also be added. For a more thorough explanation along with explicit instructions on remediating, follow the directions from Mozilla here: https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs",
"id": "generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs",
"name": "generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs",
"properties": {
"precision": "very-high",
"tags": [
"CWE-346: Origin Validation Error",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on \u003capex:outputText\u003e tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts."
},
"help": {
"markdown": "To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on \u003capex:outputText\u003e tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param)\n - [https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm](https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm)\n",
"text": "To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on \u003capex:outputText\u003e tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param",
"id": "generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param",
"name": "generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Visualforce Pages must have the cspHeader attribute set to true. This attribute is available in API version 55 or higher."
},
"help": {
"markdown": "Visualforce Pages must have the cspHeader attribute set to true. This attribute is available in API version 55 or higher.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute)\n - [https://help.salesforce.com/s/articleView?id=sf.csp_trusted_sites.htm\u0026type=5](https://help.salesforce.com/s/articleView?id=sf.csp_trusted_sites.htm\u0026type=5)\n",
"text": "Visualforce Pages must have the cspHeader attribute set to true. This attribute is available in API version 55 or higher.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute",
"id": "generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute",
"name": "generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"HIGH CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Visualforce Pages must use API version 55 or higher for required use of the cspHeader attribute set to true."
},
"help": {
"markdown": "Visualforce Pages must use API version 55 or higher for required use of the cspHeader attribute set to true.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version)\n - [https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_pages.htm](https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_pages.htm)\n",
"text": "Visualforce Pages must use API version 55 or higher for required use of the cspHeader attribute set to true.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version",
"id": "generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version",
"name": "generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"HIGH CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls."
},
"help": {
"markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.aws-lambda.security.database-sqli.database-sqli)\n - [https://pkg.go.dev/database/sql#DB.Query](https://pkg.go.dev/database/sql#DB.Query)\n",
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.aws-lambda.security.database-sqli.database-sqli",
"id": "go.aws-lambda.security.database-sqli.database-sqli",
"name": "go.aws-lambda.security.database-sqli.database-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.aws-lambda.security.database-sqli.database-sqli"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."
},
"help": {
"markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n",
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"id": "go.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"name": "go.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.aws-lambda.security.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Options struct."
},
"help": {
"markdown": "A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Options struct.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly)\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69)\n",
"text": "A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Options struct.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly",
"id": "go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly",
"name": "go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct."
},
"help": {
"markdown": "A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure)\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69)\n",
"text": "A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure",
"id": "go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure",
"name": "go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security."
},
"help": {
"markdown": "Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone)\n - [https://pkg.go.dev/github.com/gorilla/sessions#Options](https://pkg.go.dev/github.com/gorilla/sessions#Options)\n",
"text": "Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone",
"id": "go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone",
"name": "go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1275: Sensitive Cookie with Improper SameSite Attribute",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \"gorilla/websocket\" documentation: \"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\""
},
"help": {
"markdown": "The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \"gorilla/websocket\" documentation: \"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\"\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check)\n - [https://pkg.go.dev/github.com/gorilla/websocket#Upgrader](https://pkg.go.dev/github.com/gorilla/websocket#Upgrader)\n",
"text": "The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \"gorilla/websocket\" documentation: \"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\"\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check",
"id": "go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check",
"name": "go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found an insecure gRPC connection using \u0027grpc.WithInsecure()\u0027. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the \u0027grpc.WithTransportCredentials()\u0027 function. You can create a create credentials using a \u0027tls.Config{}\u0027 struct with \u0027credentials.NewTLS()\u0027. The final fix looks like this: \u0027grpc.WithTransportCredentials(credentials.NewTLS(\u003cconfig\u003e))\u0027."
},
"help": {
"markdown": "Found an insecure gRPC connection using \u0027grpc.WithInsecure()\u0027. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the \u0027grpc.WithTransportCredentials()\u0027 function. You can create a create credentials using a \u0027tls.Config{}\u0027 struct with \u0027credentials.NewTLS()\u0027. The final fix looks like this: \u0027grpc.WithTransportCredentials(credentials.NewTLS(\u003cconfig\u003e))\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection)\n - [https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption](https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption)\n",
"text": "Found an insecure gRPC connection using \u0027grpc.WithInsecure()\u0027. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the \u0027grpc.WithTransportCredentials()\u0027 function. You can create a create credentials using a \u0027tls.Config{}\u0027 struct with \u0027credentials.NewTLS()\u0027. The final fix looks like this: \u0027grpc.WithTransportCredentials(credentials.NewTLS(\u003cconfig\u003e))\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection",
"id": "go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection",
"name": "go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-300: Channel Accessible by Non-Endpoint",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found an insecure gRPC server without \u0027grpc.Creds()\u0027 or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using \u0027credentials.NewServerTLSFromFile(\"cert.pem\", \"cert.key\")\u0027."
},
"help": {
"markdown": "Found an insecure gRPC server without \u0027grpc.Creds()\u0027 or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using \u0027credentials.NewServerTLSFromFile(\"cert.pem\", \"cert.key\")\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection)\n - [https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption](https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption)\n",
"text": "Found an insecure gRPC server without \u0027grpc.Creds()\u0027 or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using \u0027credentials.NewServerTLSFromFile(\"cert.pem\", \"cert.key\")\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection",
"id": "go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection",
"name": "go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-300: Channel Accessible by Non-Endpoint",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the decoding of a JWT token without a verify step. Don\u0027t use `ParseUnverified` unless you know what you\u0027re doing This method parses the token but doesn\u0027t validate the signature. It\u0027s only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it."
},
"help": {
"markdown": "Detected the decoding of a JWT token without a verify step. Don\u0027t use `ParseUnverified` unless you know what you\u0027re doing This method parses the token but doesn\u0027t validate the signature. It\u0027s only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
"text": "Detected the decoding of a JWT token without a verify step. Don\u0027t use `ParseUnverified` unless you know what you\u0027re doing This method parses the token but doesn\u0027t validate the signature. It\u0027s only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified",
"id": "go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified",
"name": "go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified",
"properties": {
"precision": "very-high",
"tags": [
"CWE-345: Insufficient Verification of Data Authenticity",
"MEDIUM CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027."
},
"help": {
"markdown": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm",
"id": "go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm",
"name": "go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.jwt-go.security.jwt.hardcoded-jwt-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.jwt-go.security.jwt.hardcoded-jwt-key",
"id": "go.jwt-go.security.jwt.hardcoded-jwt-key",
"name": "go.jwt-go.security.jwt.hardcoded-jwt-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.jwt-go.security.jwt.hardcoded-jwt-key"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The package `net/http/cgi` is on the import blocklist. The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` or a web framework to build a web application instead."
},
"help": {
"markdown": "The package `net/http/cgi` is on the import blocklist. The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` or a web framework to build a web application instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.bad_imports.insecure-module-used)\n - [https://godoc.org/golang.org/x/crypto/sha3](https://godoc.org/golang.org/x/crypto/sha3)\n",
"text": "The package `net/http/cgi` is on the import blocklist. The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` or a web framework to build a web application instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.bad_imports.insecure-module-used",
"id": "go.lang.security.audit.crypto.bad_imports.insecure-module-used",
"name": "go.lang.security.audit.crypto.bad_imports.insecure-module-used",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.bad_imports.insecure-module-used"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Disabled host key verification detected. This allows man-in-the-middle attacks. Use the \u0027golang.org/x/crypto/ssh/knownhosts\u0027 package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it."
},
"help": {
"markdown": "Disabled host key verification detected. This allows man-in-the-middle attacks. Use the \u0027golang.org/x/crypto/ssh/knownhosts\u0027 package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key)\n - [https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/](https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/)\n - [https://gist.github.com/Skarlso/34321a230cf0245018288686c9e70b2d](https://gist.github.com/Skarlso/34321a230cf0245018288686c9e70b2d)\n",
"text": "Disabled host key verification detected. This allows man-in-the-middle attacks. Use the \u0027golang.org/x/crypto/ssh/knownhosts\u0027 package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key",
"id": "go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key",
"name": "go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-322: Key Exchange without Entity Authentication",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Do not use `math/rand`. Use `crypto/rand` instead."
},
"help": {
"markdown": "Do not use `math/rand`. Use `crypto/rand` instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation)\n",
"text": "Do not use `math/rand`. Use `crypto/rand` instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used",
"id": "go.lang.security.audit.crypto.math_random.math-random-used",
"name": "go.lang.security.audit.crypto.math_random.math-random-used",
"properties": {
"precision": "very-high",
"tags": [
"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.math_random.math-random-used"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "`MinVersion` is missing from this TLS configuration. By default, as of Go 1.22, TLS 1.2 is currently used as the minimum. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13\u0027 to the TLS configuration to bump the minimum version to TLS 1.3."
},
"help": {
"markdown": "`MinVersion` is missing from this TLS configuration. By default, as of Go 1.22, TLS 1.2 is currently used as the minimum. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13\u0027 to the TLS configuration to bump the minimum version to TLS 1.3.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion)\n - [https://go.dev/doc/go1.22#minor_library_changes](https://go.dev/doc/go1.22#minor_library_changes)\n - [https://pkg.go.dev/crypto/tls#:~:text=MinVersion](https://pkg.go.dev/crypto/tls#:~:text=MinVersion)\n - [https://www.us-cert.gov/ncas/alerts/TA14-290A](https://www.us-cert.gov/ncas/alerts/TA14-290A)\n",
"text": "`MinVersion` is missing from this TLS configuration. By default, as of Go 1.22, TLS 1.2 is currently used as the minimum. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13\u0027 to the TLS configuration to bump the minimum version to TLS 1.3.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion",
"id": "go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion",
"name": "go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security."
},
"help": {
"markdown": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.sha224-hash.sha224-hash)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\n",
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.sha224-hash.sha224-hash",
"id": "go.lang.security.audit.crypto.sha224-hash.sha224-hash",
"name": "go.lang.security.audit.crypto.sha224-hash.sha224-hash",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.sha224-hash.sha224-hash"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use \u0027tls.VersionTLS13\u0027."
},
"help": {
"markdown": "SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use \u0027tls.VersionTLS13\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure)\n - [https://golang.org/doc/go1.14#crypto/tls](https://golang.org/doc/go1.14#crypto/tls)\n - [https://www.us-cert.gov/ncas/alerts/TA14-290A](https://www.us-cert.gov/ncas/alerts/TA14-290A)\n",
"text": "SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use \u0027tls.VersionTLS13\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure",
"id": "go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure",
"name": "go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an insecure CipherSuite via the \u0027tls\u0027 module. This suite is considered weak. Use the function \u0027tls.CipherSuites()\u0027 to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use."
},
"help": {
"markdown": "Detected an insecure CipherSuite via the \u0027tls\u0027 module. This suite is considered weak. Use the function \u0027tls.CipherSuites()\u0027 to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher)\n - [https://golang.org/pkg/crypto/tls/#InsecureCipherSuites](https://golang.org/pkg/crypto/tls/#InsecureCipherSuites)\n",
"text": "Detected an insecure CipherSuite via the \u0027tls\u0027 module. This suite is considered weak. Use the function \u0027tls.CipherSuites()\u0027 to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher",
"id": "go.lang.security.audit.crypto.tls.tls-with-insecure-cipher",
"name": "go.lang.security.audit.crypto.tls.tls-with-insecure-cipher",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.tls.tls-with-insecure-cipher"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead."
},
"help": {
"markdown": "Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES",
"id": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES",
"name": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
},
"help": {
"markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5",
"id": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5",
"name": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead."
},
"help": {
"markdown": "Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4",
"id": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4",
"name": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
},
"help": {
"markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1",
"id": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1",
"name": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "RSA keys should be at least 2048 bits"
},
"help": {
"markdown": "RSA keys should be at least 2048 bits\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n",
"text": "RSA keys should be at least 2048 bits\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key",
"id": "go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key",
"name": "go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected non-static command inside Write. Audit the input to \u0027$CW.Write\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
},
"help": {
"markdown": "Detected non-static command inside Write. Audit the input to \u0027$CW.Write\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected non-static command inside Write. Audit the input to \u0027$CW.Write\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write",
"id": "go.lang.security.audit.dangerous-command-write.dangerous-command-write",
"name": "go.lang.security.audit.dangerous-command-write.dangerous-command-write",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.dangerous-command-write.dangerous-command-write"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected non-static command inside exec.Cmd. Audit the input to \u0027exec.Cmd\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
},
"help": {
"markdown": "Detected non-static command inside exec.Cmd. Audit the input to \u0027exec.Cmd\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected non-static command inside exec.Cmd. Audit the input to \u0027exec.Cmd\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd",
"id": "go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd",
"name": "go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected non-static command inside Command. Audit the input to \u0027exec.Command\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
},
"help": {
"markdown": "Detected non-static command inside Command. Audit the input to \u0027exec.Command\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-command.dangerous-exec-command)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected non-static command inside Command. Audit the input to \u0027exec.Command\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-command.dangerous-exec-command",
"id": "go.lang.security.audit.dangerous-exec-command.dangerous-exec-command",
"name": "go.lang.security.audit.dangerous-exec-command.dangerous-exec-command",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.dangerous-exec-command.dangerous-exec-command"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected non-static command inside Exec. Audit the input to \u0027syscall.Exec\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
},
"help": {
"markdown": "Detected non-static command inside Exec. Audit the input to \u0027syscall.Exec\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected non-static command inside Exec. Audit the input to \u0027syscall.Exec\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec",
"id": "go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec",
"name": "go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "String-formatted SQL query detected. This could lead to SQL injection if the string is not sanitized properly. Audit this call to ensure the SQL is not manipulable by external data."
},
"help": {
"markdown": "String-formatted SQL query detected. This could lead to SQL injection if the string is not sanitized properly. Audit this call to ensure the SQL is not manipulable by external data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.database.string-formatted-query.string-formatted-query)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "String-formatted SQL query detected. This could lead to SQL injection if the string is not sanitized properly. Audit this call to ensure the SQL is not manipulable by external data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.database.string-formatted-query.string-formatted-query",
"id": "go.lang.security.audit.database.string-formatted-query.string-formatted-query",
"name": "go.lang.security.audit.database.string-formatted-query.string-formatted-query",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.database.string-formatted-query.string-formatted-query"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package."
},
"help": {
"markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://pkg.go.dev/golang.org/x/crypto/bcrypt](https://pkg.go.dev/golang.org/x/crypto/bcrypt)\n",
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.md5-used-as-password.md5-used-as-password",
"id": "go.lang.security.audit.md5-used-as-password.md5-used-as-password",
"name": "go.lang.security.audit.md5-used-as-password.md5-used-as-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.md5-used-as-password.md5-used-as-password"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string."
},
"help": {
"markdown": "Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces",
"id": "go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces",
"name": "go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"HIGH CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Cookie."
},
"help": {
"markdown": "A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Cookie.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly)\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go)\n - [https://golang.org/src/net/http/cookie.go](https://golang.org/src/net/http/cookie.go)\n",
"text": "A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Cookie.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly",
"id": "go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly",
"name": "go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct."
},
"help": {
"markdown": "A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure)\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go)\n - [https://golang.org/src/net/http/cookie.go](https://golang.org/src/net/http/cookie.go)\n",
"text": "A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure",
"id": "go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure",
"name": "go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for \u0027$TRACE\u0027. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined."
},
"help": {
"markdown": "Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for \u0027$TRACE\u0027. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace)\n - [https://github.com/returntocorp/semgrep-rules/issues/518](https://github.com/returntocorp/semgrep-rules/issues/518)\n",
"text": "Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for \u0027$TRACE\u0027. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace",
"id": "go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace",
"name": "go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace",
"properties": {
"precision": "very-high",
"tags": [
"CWE-913: Improper Control of Dynamically-Managed Code Resources",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found a formatted template string passed to \u0027template.HTML()\u0027. \u0027template.HTML()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability."
},
"help": {
"markdown": "Found a formatted template string passed to \u0027template.HTML()\u0027. \u0027template.HTML()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string)\n - [https://golang.org/pkg/html/template/#HTML](https://golang.org/pkg/html/template/#HTML)\n",
"text": "Found a formatted template string passed to \u0027template.HTML()\u0027. \u0027template.HTML()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string",
"id": "go.lang.security.audit.net.formatted-template-string.formatted-template-string",
"name": "go.lang.security.audit.net.formatted-template-string.formatted-template-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.formatted-template-string.formatted-template-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The profiling \u0027pprof\u0027 endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import \"net/http/pprof\"`. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation."
},
"help": {
"markdown": "The profiling \u0027pprof\u0027 endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import \"net/http/pprof\"`. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.pprof.pprof-debug-exposure)\n - [https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/](https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/)\n",
"text": "The profiling \u0027pprof\u0027 endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import \"net/http/pprof\"`. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.pprof.pprof-debug-exposure",
"id": "go.lang.security.audit.net.pprof.pprof-debug-exposure",
"name": "go.lang.security.audit.net.pprof.pprof-debug-exposure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-489: Active Debug Code",
"LOW CONFIDENCE",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.pprof.pprof-debug-exposure"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found a formatted template string passed to \u0027template. HTMLAttr()\u0027. \u0027template.HTMLAttr()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template or validate and sanitize the data before passing it into the template."
},
"help": {
"markdown": "Found a formatted template string passed to \u0027template. HTMLAttr()\u0027. \u0027template.HTMLAttr()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template or validate and sanitize the data before passing it into the template.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr)\n - [https://golang.org/pkg/html/template/#HTMLAttr](https://golang.org/pkg/html/template/#HTMLAttr)\n",
"text": "Found a formatted template string passed to \u0027template. HTMLAttr()\u0027. \u0027template.HTMLAttr()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template or validate and sanitize the data before passing it into the template.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr",
"id": "go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr",
"name": "go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found a formatted template string passed to \u0027template.JS()\u0027. \u0027template.JS()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template."
},
"help": {
"markdown": "Found a formatted template string passed to \u0027template.JS()\u0027. \u0027template.JS()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js)\n - [https://golang.org/pkg/html/template/#JS](https://golang.org/pkg/html/template/#JS)\n",
"text": "Found a formatted template string passed to \u0027template.JS()\u0027. \u0027template.JS()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js",
"id": "go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js",
"name": "go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found a formatted template string passed to \u0027template.URL()\u0027. \u0027template.URL()\u0027 does not escape contents, and this could result in XSS (cross-site scripting) and therefore confidential data being stolen. Sanitize data coming into this function or make sure that no user-controlled input is coming into the function."
},
"help": {
"markdown": "Found a formatted template string passed to \u0027template.URL()\u0027. \u0027template.URL()\u0027 does not escape contents, and this could result in XSS (cross-site scripting) and therefore confidential data being stolen. Sanitize data coming into this function or make sure that no user-controlled input is coming into the function.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url)\n - [https://golang.org/pkg/html/template/#URL](https://golang.org/pkg/html/template/#URL)\n",
"text": "Found a formatted template string passed to \u0027template.URL()\u0027. \u0027template.URL()\u0027 does not escape contents, and this could result in XSS (cross-site scripting) and therefore confidential data being stolen. Sanitize data coming into this function or make sure that no user-controlled input is coming into the function.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url",
"id": "go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url",
"name": "go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found an HTTP server without TLS. Use \u0027http.ListenAndServeTLS\u0027 instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information."
},
"help": {
"markdown": "Found an HTTP server without TLS. Use \u0027http.ListenAndServeTLS\u0027 instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls)\n - [https://golang.org/pkg/net/http/#ListenAndServeTLS](https://golang.org/pkg/net/http/#ListenAndServeTLS)\n",
"text": "Found an HTTP server without TLS. Use \u0027http.ListenAndServeTLS\u0027 instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls",
"id": "go.lang.security.audit.net.use-tls.use-tls",
"name": "go.lang.security.audit.net.use-tls.use-tls",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.use-tls.use-tls"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped."
},
"help": {
"markdown": "Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf",
"id": "go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf",
"name": "go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "\u0027reflect.MakeFunc\u0027 detected. This will sidestep protections that are normally afforded by Go\u0027s type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability."
},
"help": {
"markdown": "\u0027reflect.MakeFunc\u0027 detected. This will sidestep protections that are normally afforded by Go\u0027s type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.reflect-makefunc.reflect-makefunc)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "\u0027reflect.MakeFunc\u0027 detected. This will sidestep protections that are normally afforded by Go\u0027s type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.reflect-makefunc.reflect-makefunc",
"id": "go.lang.security.audit.reflect-makefunc.reflect-makefunc",
"name": "go.lang.security.audit.reflect-makefunc.reflect-makefunc",
"properties": {
"precision": "very-high",
"tags": [
"CWE-913: Improper Control of Dynamically-Managed Code Resources",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.reflect-makefunc.reflect-makefunc"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a \"database/sql\" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls."
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a \"database/sql\" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.gosql-sqli.gosql-sqli)\n - [https://golang.org/pkg/database/sql/](https://golang.org/pkg/database/sql/)\n",
"text": "Detected string concatenation with a non-literal variable in a \"database/sql\" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.sqli.gosql-sqli.gosql-sqli",
"id": "go.lang.security.audit.sqli.gosql-sqli.gosql-sqli",
"name": "go.lang.security.audit.sqli.gosql-sqli.gosql-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.sqli.gosql-sqli.gosql-sqli"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a go-pg ORM SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, do not use strings concatenated with user-controlled input. Instead, use parameterized statements."
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a go-pg ORM SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, do not use strings concatenated with user-controlled input. Instead, use parameterized statements.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli)\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\n",
"text": "Detected string concatenation with a non-literal variable in a go-pg ORM SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, do not use strings concatenated with user-controlled input. Instead, use parameterized statements.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli",
"id": "go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli",
"name": "go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: \u0027(SELECT ? FROM table, data1)\u0027"
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: \u0027(SELECT ? FROM table, data1)\u0027\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli)\n - [https://pg.uptrace.dev/](https://pg.uptrace.dev/)\n - [https://pkg.go.dev/github.com/go-pg/pg/v10](https://pkg.go.dev/github.com/go-pg/pg/v10)\n",
"text": "Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: \u0027(SELECT ? FROM table, data1)\u0027\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli",
"id": "go.lang.security.audit.sqli.pg-sqli.pg-sqli",
"name": "go.lang.security.audit.sqli.pg-sqli.pg-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.sqli.pg-sqli.pg-sqli"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)"
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli)\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\n",
"text": "Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli",
"id": "go.lang.security.audit.sqli.pgx-sqli.pgx-sqli",
"name": "go.lang.security.audit.sqli.pgx-sqli.pgx-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.sqli.pgx-sqli.pgx-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If an attacker can supply values that the application then uses to determine which method or field to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner."
},
"help": {
"markdown": "If an attacker can supply values that the application then uses to determine which method or field to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "If an attacker can supply values that the application then uses to determine which method or field to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name",
"id": "go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name",
"name": "go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name",
"properties": {
"precision": "very-high",
"tags": [
"CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "When working with web applications that involve rendering user-generated content, it\u0027s important to properly escape any HTML content to prevent Cross-Site Scripting (XSS) attacks. In Go, the `text/template` package does not automatically escape HTML content, which can leave your application vulnerable to these types of attacks. To mitigate this risk, it\u0027s recommended to use the `html/template` package instead, which provides built-in functionality for HTML escaping. By using `html/template` to render your HTML content, you can help to ensure that your web application is more secure and less susceptible to XSS vulnerabilities."
},
"help": {
"markdown": "When working with web applications that involve rendering user-generated content, it\u0027s important to properly escape any HTML content to prevent Cross-Site Scripting (XSS) attacks. In Go, the `text/template` package does not automatically escape HTML content, which can leave your application vulnerable to these types of attacks. To mitigate this risk, it\u0027s recommended to use the `html/template` package instead, which provides built-in functionality for HTML escaping. By using `html/template` to render your HTML content, you can help to ensure that your web application is more secure and less susceptible to XSS vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.import-text-template.import-text-template)\n - [https://www.veracode.com/blog/secure-development/use-golang-these-mistakes-could-compromise-your-apps-security](https://www.veracode.com/blog/secure-development/use-golang-these-mistakes-could-compromise-your-apps-security)\n",
"text": "When working with web applications that involve rendering user-generated content, it\u0027s important to properly escape any HTML content to prevent Cross-Site Scripting (XSS) attacks. In Go, the `text/template` package does not automatically escape HTML content, which can leave your application vulnerable to these types of attacks. To mitigate this risk, it\u0027s recommended to use the `html/template` package instead, which provides built-in functionality for HTML escaping. By using `html/template` to render your HTML content, you can help to ensure that your web application is more secure and less susceptible to XSS vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.import-text-template.import-text-template",
"id": "go.lang.security.audit.xss.import-text-template.import-text-template",
"name": "go.lang.security.audit.xss.import-text-template.import-text-template",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.xss.import-text-template.import-text-template"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected directly writing or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package and render data using \u0027template.Execute()\u0027."
},
"help": {
"markdown": "Detected directly writing or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package and render data using \u0027template.Execute()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n",
"text": "Detected directly writing or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package and render data using \u0027template.Execute()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter",
"id": "go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter",
"name": "go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected \u0027Fprintf\u0027 or similar writing to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users."
},
"help": {
"markdown": "Detected \u0027Fprintf\u0027 or similar writing to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n",
"text": "Detected \u0027Fprintf\u0027 or similar writing to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter",
"id": "go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter",
"name": "go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected template variable interpolation in an HTML tag. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over HTML but without the need to use escaped characters. Use explicit tags instead."
},
"help": {
"markdown": "Detected template variable interpolation in an HTML tag. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over HTML but without the need to use escaped characters. Use explicit tags instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag)\n - [https://github.com/golang/go/issues/19669](https://github.com/golang/go/issues/19669)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n",
"text": "Detected template variable interpolation in an HTML tag. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over HTML but without the need to use escaped characters. Use explicit tags instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag",
"id": "go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag",
"name": "go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped."
},
"help": {
"markdown": "Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string)\n - [https://github.com/golang/go/issues/9200#issuecomment-66100328](https://github.com/golang/go/issues/9200#issuecomment-66100328)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n",
"text": "Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string",
"id": "go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string",
"name": "go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected \u0027io.WriteString()\u0027 writing directly to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users."
},
"help": {
"markdown": "Detected \u0027io.WriteString()\u0027 writing directly to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n - [https://golang.org/pkg/io/#WriteString](https://golang.org/pkg/io/#WriteString)\n",
"text": "Detected \u0027io.WriteString()\u0027 writing directly to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter",
"id": "go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter",
"name": "go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected \u0027printf\u0027 or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users."
},
"help": {
"markdown": "Detected \u0027printf\u0027 or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n",
"text": "Detected \u0027printf\u0027 or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter",
"id": "go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter",
"name": "go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Semgrep could not determine that the argument to \u0027template.HTML()\u0027 is a constant. \u0027template.HTML()\u0027 and similar does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability. Instead, do not use this function and use \u0027template.Execute()\u0027."
},
"help": {
"markdown": "Semgrep could not determine that the argument to \u0027template.HTML()\u0027 is a constant. \u0027template.HTML()\u0027 and similar does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability. Instead, do not use this function and use \u0027template.Execute()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type)\n - [https://golang.org/pkg/html/template/#HTML](https://golang.org/pkg/html/template/#HTML)\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/vulnerability/xss/xss.go#L33](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/vulnerability/xss/xss.go#L33)\n",
"text": "Semgrep could not determine that the argument to \u0027template.HTML()\u0027 is a constant. \u0027template.HTML()\u0027 and similar does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability. Instead, do not use this function and use \u0027template.Execute()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type",
"id": "go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type",
"name": "go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "File creation in shared tmp directory without using `io.CreateTemp`."
},
"help": {
"markdown": "File creation in shared tmp directory without using `io.CreateTemp`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.bad_tmp.bad-tmp-file-creation)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://pkg.go.dev/io/ioutil#TempFile](https://pkg.go.dev/io/ioutil#TempFile)\n - [https://pkg.go.dev/os#CreateTemp](https://pkg.go.dev/os#CreateTemp)\n - [https://github.com/securego/gosec/blob/5fd2a370447223541cddb35da8d1bc707b7bb153/rules/tempfiles.go#L67](https://github.com/securego/gosec/blob/5fd2a370447223541cddb35da8d1bc707b7bb153/rules/tempfiles.go#L67)\n",
"text": "File creation in shared tmp directory without using `io.CreateTemp`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.bad_tmp.bad-tmp-file-creation",
"id": "go.lang.security.bad_tmp.bad-tmp-file-creation",
"name": "go.lang.security.bad_tmp.bad-tmp-file-creation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-377: Insecure Temporary File",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.bad_tmp.bad-tmp-file-creation"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a possible denial-of-service via a zip bomb attack. By limiting the max bytes read, you can mitigate this attack. `io.CopyN()` can specify a size. "
},
"help": {
"markdown": "Detected a possible denial-of-service via a zip bomb attack. By limiting the max bytes read, you can mitigate this attack. `io.CopyN()` can specify a size. \n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb)\n - [https://golang.org/pkg/io/#CopyN](https://golang.org/pkg/io/#CopyN)\n - [https://github.com/securego/gosec/blob/master/rules/decompression-bomb.go](https://github.com/securego/gosec/blob/master/rules/decompression-bomb.go)\n",
"text": "Detected a possible denial-of-service via a zip bomb attack. By limiting the max bytes read, you can mitigate this attack. `io.CopyN()` can specify a size. \n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb",
"id": "go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb",
"name": "go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb",
"properties": {
"precision": "very-high",
"tags": [
"CWE-400: Uncontrolled Resource Consumption",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "`Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: `filepath.FromSlash(path.Clean(\"/\"+strings.Trim(req.URL.Path, \"/\")))` However, a better solution is using the `SecureJoin` function in the package `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme."
},
"help": {
"markdown": "`Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: `filepath.FromSlash(path.Clean(\"/\"+strings.Trim(req.URL.Path, \"/\")))` However, a better solution is using the `SecureJoin` function in the package `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.filepath-clean-misuse.filepath-clean-misuse)\n - [https://pkg.go.dev/path#Clean](https://pkg.go.dev/path#Clean)\n - [http://technosophos.com/2016/03/31/go-quickly-cleaning-filepaths.html](http://technosophos.com/2016/03/31/go-quickly-cleaning-filepaths.html)\n - [https://labs.detectify.com/2021/12/15/zero-day-path-traversal-grafana/](https://labs.detectify.com/2021/12/15/zero-day-path-traversal-grafana/)\n - [https://dzx.cz/2021/04/02/go_path_traversal/](https://dzx.cz/2021/04/02/go_path_traversal/)\n - [https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme](https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme)\n",
"text": "`Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: `filepath.FromSlash(path.Clean(\"/\"+strings.Trim(req.URL.Path, \"/\")))` However, a better solution is using the `SecureJoin` function in the package `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.filepath-clean-misuse.filepath-clean-misuse",
"id": "go.lang.security.filepath-clean-misuse.filepath-clean-misuse",
"name": "go.lang.security.filepath-clean-misuse.filepath-clean-misuse",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.filepath-clean-misuse.filepath-clean-misuse"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "An HTTP redirect was found to be crafted from user-input `$REQUEST`. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist."
},
"help": {
"markdown": "An HTTP redirect was found to be crafted from user-input `$REQUEST`. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.open-redirect.open-redirect)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unvalidated_redirects___forwards/open_redirect_go_lang.html](https://knowledge-base.secureflag.com/vulnerabilities/unvalidated_redirects___forwards/open_redirect_go_lang.html)\n",
"text": "An HTTP redirect was found to be crafted from user-input `$REQUEST`. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.injection.open-redirect.open-redirect",
"id": "go.lang.security.injection.open-redirect.open-redirect",
"name": "go.lang.security.injection.open-redirect.open-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.injection.open-redirect.open-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely."
},
"help": {
"markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.raw-html-format.raw-html-format)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n",
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.injection.raw-html-format.raw-html-format",
"id": "go.lang.security.injection.raw-html-format.raw-html-format",
"name": "go.lang.security.injection.raw-html-format.raw-html-format",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.injection.raw-html-format.raw-html-format"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\"SELECT * FROM t WHERE id = ?\", id)`) or a safe library."
},
"help": {
"markdown": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\"SELECT * FROM t WHERE id = ?\", id)`) or a safe library.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://golang.org/doc/database/sql-injection](https://golang.org/doc/database/sql-injection)\n - [https://www.stackhawk.com/blog/golang-sql-injection-guide-examples-and-prevention/](https://www.stackhawk.com/blog/golang-sql-injection-guide-examples-and-prevention/)\n",
"text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\"SELECT * FROM t WHERE id = ?\", id)`) or a safe library.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.injection.tainted-sql-string.tainted-sql-string",
"id": "go.lang.security.injection.tainted-sql-string.tainted-sql-string",
"name": "go.lang.security.injection.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.injection.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist."
},
"help": {
"markdown": "A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.tainted-url-host.tainted-url-host)\n - [https://goteleport.com/blog/ssrf-attacks/](https://goteleport.com/blog/ssrf-attacks/)\n",
"text": "A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.injection.tainted-url-host.tainted-url-host",
"id": "go.lang.security.injection.tainted-url-host.tainted-url-host",
"name": "go.lang.security.injection.tainted-url-host.tainted-url-host",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"HIGH CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.injection.tainted-url-host.tainted-url-host"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "ReverseProxy can remove headers added by Director. Consider using ReverseProxy.Rewrite instead of ReverseProxy.Director."
},
"help": {
"markdown": "ReverseProxy can remove headers added by Director. Consider using ReverseProxy.Rewrite instead of ReverseProxy.Director.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.reverseproxy-director.reverseproxy-director)\n - [https://github.com/golang/go/issues/50580](https://github.com/golang/go/issues/50580)\n",
"text": "ReverseProxy can remove headers added by Director. Consider using ReverseProxy.Rewrite instead of ReverseProxy.Director.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.reverseproxy-director.reverseproxy-director",
"id": "go.lang.security.reverseproxy-director.reverseproxy-director",
"name": "go.lang.security.reverseproxy-director.reverseproxy-director",
"properties": {
"precision": "very-high",
"tags": [
"CWE-115: Misinterpretation of Input",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.reverseproxy-director.reverseproxy-director"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "File traversal when extracting zip archive"
},
"help": {
"markdown": "File traversal when extracting zip archive\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.zip.path-traversal-inside-zip-extraction)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "File traversal when extracting zip archive\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.lang.security.zip.path-traversal-inside-zip-extraction",
"id": "go.lang.security.zip.path-traversal-inside-zip-extraction",
"name": "go.lang.security.zip.path-traversal-inside-zip-extraction",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.lang.security.zip.path-traversal-inside-zip-extraction"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected non-static script inside otto VM. Audit the input to \u0027VM.Run\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
},
"help": {
"markdown": "Detected non-static script inside otto VM. Audit the input to \u0027VM.Run\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/go.otto.security.audit.dangerous-execution.dangerous-execution)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected non-static script inside otto VM. Audit the input to \u0027VM.Run\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/go.otto.security.audit.dangerous-execution.dangerous-execution",
"id": "go.otto.security.audit.dangerous-execution.dangerous-execution",
"name": "go.otto.security.audit.dangerous-execution.dangerous-execution",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: go.otto.security.audit.dangerous-execution.dangerous-execution"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This tag is missing an \u0027integrity\u0027 subresource integrity attribute. The \u0027integrity\u0027 attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you\u2019re telling the browser to fetch in the \u0027integrity\u0027 attribute for all externally hosted files."
},
"help": {
"markdown": "This tag is missing an \u0027integrity\u0027 subresource integrity attribute. The \u0027integrity\u0027 attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you\u2019re telling the browser to fetch in the \u0027integrity\u0027 attribute for all externally hosted files.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
"text": "This tag is missing an \u0027integrity\u0027 subresource integrity attribute. The \u0027integrity\u0027 attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you\u2019re telling the browser to fetch in the \u0027integrity\u0027 attribute for all externally hosted files.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity",
"id": "html.security.audit.missing-integrity.missing-integrity",
"name": "html.security.audit.missing-integrity.missing-integrity",
"properties": {
"precision": "very-high",
"tags": [
"CWE-353: Missing Support for Integrity Check",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: html.security.audit.missing-integrity.missing-integrity"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
},
"help": {
"markdown": "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/html.security.plaintext-http-link.plaintext-http-link)\n - [https://cwe.mitre.org/data/definitions/319.html](https://cwe.mitre.org/data/definitions/319.html)\n",
"text": "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/html.security.plaintext-http-link.plaintext-http-link",
"id": "html.security.plaintext-http-link.plaintext-http-link",
"name": "html.security.plaintext-http-link.plaintext-http-link",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: html.security.plaintext-http-link.plaintext-http-link"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application\u0027s control plane."
},
"help": {
"markdown": "The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application\u0027s control plane.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.android.security.exported_activity.exported_activity)\n - [https://cwe.mitre.org/data/definitions/926.html](https://cwe.mitre.org/data/definitions/926.html)\n",
"text": "The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application\u0027s control plane.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.android.security.exported_activity.exported_activity",
"id": "java.android.security.exported_activity.exported_activity",
"name": "java.android.security.exported_activity.exported_activity",
"properties": {
"precision": "very-high",
"tags": [
"CWE-926: Improper Export of Android Application Components",
"MEDIUM CONFIDENCE",
"OWASP-A5:2021 Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.android.security.exported_activity.exported_activity"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."
},
"help": {
"markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n",
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"id": "java.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"name": "java.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.aws-lambda.security.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead."
},
"help": {
"markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sqli.tainted-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.aws-lambda.security.tainted-sqli.tainted-sqli",
"id": "java.aws-lambda.security.tainted-sqli.tainted-sqli",
"name": "java.aws-lambda.security.tainted-sqli.tainted-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.aws-lambda.security.tainted-sqli.tainted-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token."
},
"help": {
"markdown": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
"text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify",
"id": "java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify",
"name": "java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify",
"properties": {
"precision": "very-high",
"tags": [
"CWE-345: Insufficient Verification of Data Authenticity",
"MEDIUM CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret",
"id": "java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret",
"name": "java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027."
},
"help": {
"markdown": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg",
"id": "java.java-jwt.security.jwt-none-alg.java-jwt-none-alg",
"name": "java.java-jwt.security.jwt-none-alg.java-jwt-none-alg",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.java-jwt.security.jwt-none-alg.java-jwt-none-alg"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."
},
"help": {
"markdown": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal)\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\n",
"text": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal",
"id": "java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal",
"name": "java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."
},
"help": {
"markdown": "Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.jboss.security.seam-log-injection.seam-log-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.jboss.security.seam-log-injection.seam-log-injection",
"id": "java.jboss.security.seam-log-injection.seam-log-injection",
"name": "java.jboss.security.seam-log-injection.seam-log-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.jboss.security.seam-log-injection.seam-log-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "In $METHOD, $X is used to construct a SQL query via string concatenation."
},
"help": {
"markdown": "In $METHOD, $X is used to construct a SQL query via string concatenation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "In $METHOD, $X is used to construct a SQL query via string concatenation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation",
"id": "java.jboss.security.session_sqli.find-sql-string-concatenation",
"name": "java.jboss.security.session_sqli.find-sql-string-concatenation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.jboss.security.session_sqli.find-sql-string-concatenation"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027."
},
"help": {
"markdown": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg",
"id": "java.jjwt.security.jwt-none-alg.jjwt-none-alg",
"name": "java.jjwt.security.jwt-none-alg.jjwt-none-alg",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.jjwt.security.jwt-none-alg.jjwt-none-alg"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information."
},
"help": {
"markdown": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind",
"id": "java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind",
"name": "java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\"%02X\", ...)\u0027 instead."
},
"help": {
"markdown": "\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\"%02X\", ...)\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion)\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\n",
"text": "\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\"%02X\", ...)\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion",
"id": "java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion",
"name": "java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion",
"properties": {
"precision": "very-high",
"tags": [
"CWE-704: Incorrect Type Conversion or Cast",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead."
},
"help": {
"markdown": "Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size",
"id": "java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size",
"name": "java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use \u0027AES/GCM/NoPadding\u0027 instead."
},
"help": {
"markdown": "Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use \u0027AES/GCM/NoPadding\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle)\n - [https://capec.mitre.org/data/definitions/463.html](https://capec.mitre.org/data/definitions/463.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes)\n - [https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY](https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY)\n",
"text": "Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use \u0027AES/GCM/NoPadding\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle",
"id": "java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle",
"name": "java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."
},
"help": {
"markdown": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call",
"id": "java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call",
"name": "java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."
},
"help": {
"markdown": "A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.command-injection-process-builder.command-injection-process-builder)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.command-injection-process-builder.command-injection-process-builder",
"id": "java.lang.security.audit.command-injection-process-builder.command-injection-process-builder",
"name": "java.lang.security.audit.command-injection-process-builder.command-injection-process-builder",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.command-injection-process-builder.command-injection-process-builder"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027"
},
"help": {
"markdown": "A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
"text": "A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly",
"id": "java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly",
"name": "java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027"
},
"help": {
"markdown": "A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
"text": "A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag",
"id": "java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag",
"name": "java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content."
},
"help": {
"markdown": "When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs",
"id": "java.lang.security.audit.crlf-injection-logs.crlf-injection-logs",
"name": "java.lang.security.audit.crlf-injection-logs.crlf-injection-logs",
"properties": {
"precision": "very-high",
"tags": [
"CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crlf-injection-logs.crlf-injection-logs"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information."
},
"help": {
"markdown": "DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated)\n - [https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard](https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n",
"text": "DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated",
"id": "java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated",
"name": "java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES."
},
"help": {
"markdown": "Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated)\n - [https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA](https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA)\n",
"text": "Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated",
"id": "java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated",
"name": "java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY."
},
"help": {
"markdown": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher",
"id": "java.lang.security.audit.crypto.ecb-cipher.ecb-cipher",
"name": "java.lang.security.audit.crypto.ecb-cipher.ecb-cipher",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.ecb-cipher.ecb-cipher"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "GCM IV/nonce is reused: encryption can be totally useless"
},
"help": {
"markdown": "GCM IV/nonce is reused: encryption can be totally useless\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "GCM IV/nonce is reused: encryption can be totally useless\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse",
"id": "java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse",
"name": "java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse",
"properties": {
"precision": "very-high",
"tags": [
"CWE-323: Reusing a Nonce, Key Pair in Encryption",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
},
"help": {
"markdown": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher",
"id": "java.lang.security.audit.crypto.no-null-cipher.no-null-cipher",
"name": "java.lang.security.audit.crypto.no-null-cipher.no-null-cipher",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.no-null-cipher.no-null-cipher"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption."
},
"help": {
"markdown": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector)\n - [https://cwe.mitre.org/data/definitions/329.html](https://cwe.mitre.org/data/definitions/329.html)\n",
"text": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector",
"id": "java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector",
"name": "java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector",
"properties": {
"precision": "very-high",
"tags": [
"CWE-329: Generation of Predictable IV with CBC Mode",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using RSA without OAEP mode weakens the encryption."
},
"help": {
"markdown": "Using RSA without OAEP mode weakens the encryption.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding)\n - [https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/](https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/)\n",
"text": "Using RSA without OAEP mode weakens the encryption.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding",
"id": "java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding",
"name": "java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");"
},
"help": {
"markdown": "Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms)\n",
"text": "Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests",
"id": "java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests",
"name": "java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead."
},
"help": {
"markdown": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated",
"id": "java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated",
"name": "java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks."
},
"help": {
"markdown": "Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier",
"id": "java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier",
"name": "java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information."
},
"help": {
"markdown": "Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager)\n - [https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https](https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https)\n",
"text": "Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager",
"id": "java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager",
"name": "java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead."
},
"help": {
"markdown": "Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket",
"id": "java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket",
"name": "java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use of AES with ECB mode detected. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
},
"help": {
"markdown": "Use of AES with ECB mode detected. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n",
"text": "Use of AES with ECB mode detected. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb",
"id": "java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb",
"name": "java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
},
"help": {
"markdown": "Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n",
"text": "Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish",
"id": "java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish",
"name": "java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
},
"help": {
"markdown": "Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n",
"text": "Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes",
"id": "java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes",
"name": "java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."
},
"help": {
"markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils",
"id": "java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils",
"name": "java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."
},
"help": {
"markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5",
"id": "java.lang.security.audit.crypto.use-of-md5.use-of-md5",
"name": "java.lang.security.audit.crypto.use-of-md5.use-of-md5",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-md5.use-of-md5"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
},
"help": {
"markdown": "Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n",
"text": "Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2",
"id": "java.lang.security.audit.crypto.use-of-rc2.use-of-rc2",
"name": "java.lang.security.audit.crypto.use-of-rc2.use-of-rc2",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-rc2.use-of-rc2"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
},
"help": {
"markdown": "Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n",
"text": "Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4",
"id": "java.lang.security.audit.crypto.use-of-rc4.use-of-rc4",
"name": "java.lang.security.audit.crypto.use-of-rc4.use-of-rc4",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-rc4.use-of-rc4"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."
},
"help": {
"markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1",
"id": "java.lang.security.audit.crypto.use-of-sha1.use-of-sha1",
"name": "java.lang.security.audit.crypto.use-of-sha1.use-of-sha1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-sha1.use-of-sha1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security."
},
"help": {
"markdown": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\n",
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224",
"id": "java.lang.security.audit.crypto.use-of-sha224.use-of-sha224",
"name": "java.lang.security.audit.crypto.use-of-sha224.use-of-sha224",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-sha224.use-of-sha224"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead."
},
"help": {
"markdown": "Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random",
"id": "java.lang.security.audit.crypto.weak-random.weak-random",
"name": "java.lang.security.audit.crypto.weak-random.weak-random",
"properties": {
"precision": "very-high",
"tags": [
"CWE-330: Use of Insufficiently Random Values",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.weak-random.weak-random"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "RSA keys should be at least 2048 bits based on NIST recommendation."
},
"help": {
"markdown": "RSA keys should be at least 2048 bits based on NIST recommendation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n",
"text": "RSA keys should be at least 2048 bits based on NIST recommendation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key",
"id": "java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key",
"name": "java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."
},
"help": {
"markdown": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell",
"id": "java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell",
"name": "java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."
},
"help": {
"markdown": "An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection",
"id": "java.lang.security.audit.el-injection.el-injection",
"name": "java.lang.security.audit.el-injection.el-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.el-injection.el-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string.formatted-sql-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps)\n - [https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement](https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string.formatted-sql-string",
"id": "java.lang.security.audit.formatted-sql-string.formatted-sql-string",
"name": "java.lang.security.audit.formatted-sql-string.formatted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.formatted-sql-string.formatted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself."
},
"help": {
"markdown": "Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting)\n - [https://www.owasp.org/index.php/HTTP_Response_Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting)\n",
"text": "Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting",
"id": "java.lang.security.audit.http-response-splitting.http-response-splitting",
"name": "java.lang.security.audit.http-response-splitting.http-response-splitting",
"properties": {
"precision": "very-high",
"tags": [
"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.http-response-splitting.http-response-splitting"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting \u0027email.setSSLCheckServerIdentity(true)\u0027."
},
"help": {
"markdown": "Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting \u0027email.setSSLCheckServerIdentity(true)\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting \u0027email.setSSLCheckServerIdentity(true)\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection",
"id": "java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection",
"name": "java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-297: Improper Validation of Certificate with Host Mismatch",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Semgrep found potential reverse shell behavior"
},
"help": {
"markdown": "Semgrep found potential reverse shell behavior\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.java-reverse-shell.java-reverse-shell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Semgrep found potential reverse shell behavior\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.java-reverse-shell.java-reverse-shell",
"id": "java.lang.security.audit.java-reverse-shell.java-reverse-shell",
"name": "java.lang.security.audit.java-reverse-shell.java-reverse-shell",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.java-reverse-shell.java-reverse-shell"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: \u0027jdbc.queryForObject(\"select * from table where name = ?\", Integer.class, parameterName);\u0027"
},
"help": {
"markdown": "Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: \u0027jdbc.queryForObject(\"select * from table where name = ?\", Integer.class, parameterName);\u0027\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: \u0027jdbc.queryForObject(\"select * from table where name = ?\", Integer.class, parameterName);\u0027\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string",
"id": "java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string",
"name": "java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution."
},
"help": {
"markdown": "An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning)\n - [https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html)\n",
"text": "An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning",
"id": "java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning",
"name": "java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning",
"properties": {
"precision": "very-high",
"tags": [
"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data."
},
"help": {
"markdown": "Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.ldap-injection.ldap-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.ldap-injection.ldap-injection",
"id": "java.lang.security.audit.ldap-injection.ldap-injection",
"name": "java.lang.security.audit.ldap-injection.ldap-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.ldap-injection.ldap-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`."
},
"help": {
"markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory](https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory)\n - [https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html)\n",
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.md5-used-as-password.md5-used-as-password",
"id": "java.lang.security.audit.md5-used-as-password.md5-used-as-password",
"name": "java.lang.security.audit.md5-used-as-password.md5-used-as-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.md5-used-as-password.md5-used-as-password"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object."
},
"help": {
"markdown": "Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.object-deserialization.object-deserialization)\n - [https://www.owasp.org/index.php/Deserialization_of_untrusted_data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data)\n - [https://www.oracle.com/java/technologies/javase/seccodeguide.html#8](https://www.oracle.com/java/technologies/javase/seccodeguide.html#8)\n",
"text": "Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.object-deserialization.object-deserialization",
"id": "java.lang.security.audit.object-deserialization.object-deserialization",
"name": "java.lang.security.audit.object-deserialization.object-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.object-deserialization.object-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."
},
"help": {
"markdown": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.ognl-injection.ognl-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.ognl-injection.ognl-injection",
"id": "java.lang.security.audit.ognl-injection.ognl-injection",
"name": "java.lang.security.audit.ognl-injection.ognl-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.ognl-injection.ognl-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need."
},
"help": {
"markdown": "Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission",
"id": "java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission",
"name": "java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission",
"properties": {
"precision": "very-high",
"tags": [
"CWE-276: Incorrect Default Permissions",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks."
},
"help": {
"markdown": "https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.permissive-cors.permissive-cors)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.permissive-cors.permissive-cors",
"id": "java.lang.security.audit.permissive-cors.permissive-cors",
"name": "java.lang.security.audit.permissive-cors.permissive-cors",
"properties": {
"precision": "very-high",
"tags": [
"CWE-183: Permissive List of Allowed Inputs",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.permissive-cors.permissive-cors"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter \u0027.eval()\u0027, otherwise, this is a code injection vulnerability."
},
"help": {
"markdown": "Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter \u0027.eval()\u0027, otherwise, this is a code injection vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.script-engine-injection.script-engine-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter \u0027.eval()\u0027, otherwise, this is a code injection vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.script-engine-injection.script-engine-injection",
"id": "java.lang.security.audit.script-engine-injection.script-engine-injection",
"name": "java.lang.security.audit.script-engine-injection.script-engine-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.script-engine-injection.script-engine-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli",
"id": "java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli",
"name": "java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli",
"id": "java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli",
"name": "java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jdo-sqli.jdo-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.jdo-sqli.jdo-sqli",
"id": "java.lang.security.audit.sqli.jdo-sqli.jdo-sqli",
"name": "java.lang.security.audit.sqli.jdo-sqli.jdo-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.sqli.jdo-sqli.jdo-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli",
"id": "java.lang.security.audit.sqli.jpa-sqli.jpa-sqli",
"name": "java.lang.security.audit.sqli.jpa-sqli.jpa-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.sqli.jpa-sqli.jpa-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead."
},
"help": {
"markdown": "Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n",
"text": "Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request",
"id": "java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request",
"name": "java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.turbine-sqli.turbine-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.turbine-sqli.turbine-sqli",
"id": "java.lang.security.audit.sqli.turbine-sqli.turbine-sqli",
"name": "java.lang.security.audit.sqli.turbine-sqli.turbine-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.sqli.turbine-sqli.turbine-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.vertx-sqli.vertx-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.vertx-sqli.vertx-sqli",
"id": "java.lang.security.audit.sqli.vertx-sqli.vertx-sqli",
"name": "java.lang.security.audit.sqli.vertx-sqli.vertx-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.sqli.vertx-sqli.vertx-sqli"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected input from a HTTPServletRequest going into a \u0027ProcessBuilder\u0027 or \u0027exec\u0027 command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values."
},
"help": {
"markdown": "Detected input from a HTTPServletRequest going into a \u0027ProcessBuilder\u0027 or \u0027exec\u0027 command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected input from a HTTPServletRequest going into a \u0027ProcessBuilder\u0027 or \u0027exec\u0027 command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request",
"id": "java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request",
"name": "java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected input from a HTTPServletRequest going into the environment variables of an \u0027exec\u0027 command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`."
},
"help": {
"markdown": "Detected input from a HTTPServletRequest going into the environment variables of an \u0027exec\u0027 command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected input from a HTTPServletRequest going into the environment variables of an \u0027exec\u0027 command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request",
"id": "java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request",
"name": "java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-454: External Initialization of Trusted Variables or Data Stores",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data."
},
"help": {
"markdown": "Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request)\n - [https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection](https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection)\n",
"text": "Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request",
"id": "java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request",
"name": "java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what\u0027s trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls."
},
"help": {
"markdown": "Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what\u0027s trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what\u0027s trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request",
"id": "java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request",
"name": "java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-501: Trust Boundary Violation",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can."
},
"help": {
"markdown": "Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request",
"id": "java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request",
"name": "java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-643: Improper Neutralization of Data within XPath Expressions (\u0027XPath Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner."
},
"help": {
"markdown": "If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection",
"id": "java.lang.security.audit.unsafe-reflection.unsafe-reflection",
"name": "java.lang.security.audit.unsafe-reflection.unsafe-reflection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.unsafe-reflection.unsafe-reflection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs."
},
"help": {
"markdown": "Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect",
"id": "java.lang.security.audit.unvalidated-redirect.unvalidated-redirect",
"name": "java.lang.security.audit.unvalidated-redirect.unvalidated-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.unvalidated-redirect.unvalidated-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties."
},
"help": {
"markdown": "URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.url-rewriting.url-rewriting)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.url-rewriting.url-rewriting",
"id": "java.lang.security.audit.url-rewriting.url-rewriting",
"name": "java.lang.security.audit.url-rewriting.url-rewriting",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.url-rewriting.url-rewriting"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security."
},
"help": {
"markdown": "An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context)\n - [https://tools.ietf.org/html/rfc7568](https://tools.ietf.org/html/rfc7568)\n - [https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html](https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html)\n",
"text": "An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context",
"id": "java.lang.security.audit.weak-ssl-context.weak-ssl-context",
"name": "java.lang.security.audit.weak-ssl-context.weak-ssl-context",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.weak-ssl-context.weak-ssl-context"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention."
},
"help": {
"markdown": "XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n",
"text": "XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder",
"id": "java.lang.security.audit.xml-decoder.xml-decoder",
"name": "java.lang.security.audit.xml-decoder.xml-decoder",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"LOW CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xml-decoder.xml-decoder"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove \u0027escape=false\u0027 from this element."
},
"help": {
"markdown": "Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove \u0027escape=false\u0027 from this element.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled)\n - [https://stackoverflow.com/a/7442668](https://stackoverflow.com/a/7442668)\n",
"text": "Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove \u0027escape=false\u0027 from this element.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled",
"id": "java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled",
"name": "java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences",
"LOW CONFIDENCE",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views."
},
"help": {
"markdown": "Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer)\n - [https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html](https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html)\n",
"text": "Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer",
"id": "java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer",
"name": "java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "It looks like you\u0027re using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself."
},
"help": {
"markdown": "It looks like you\u0027re using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "It looks like you\u0027re using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure",
"id": "java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure",
"name": "java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."
},
"help": {
"markdown": "DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n",
"text": "DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false",
"id": "java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false",
"name": "java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."
},
"help": {
"markdown": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n",
"text": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing",
"id": "java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing",
"name": "java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false."
},
"help": {
"markdown": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n",
"text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true",
"id": "java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true",
"name": "java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false."
},
"help": {
"markdown": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n",
"text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true",
"id": "java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true",
"name": "java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory."
},
"help": {
"markdown": "DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n",
"text": "DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing",
"id": "java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing",
"name": "java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"."
},
"help": {
"markdown": "DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n",
"text": "DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled",
"id": "java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled",
"name": "java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible."
},
"help": {
"markdown": "Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use)\n - [https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html](https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html)\n - [https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation](https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation)\n - [http://phrack.org/papers/escaping_the_java_sandbox.html](http://phrack.org/papers/escaping_the_java_sandbox.html)\n",
"text": "Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use",
"id": "java.lang.security.do-privileged-use.do-privileged-use",
"name": "java.lang.security.do-privileged-use.do-privileged-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.do-privileged-use.do-privileged-use"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."
},
"help": {
"markdown": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal)\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\n",
"text": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal",
"id": "java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal",
"name": "java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method."
},
"help": {
"markdown": "JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization)\n - [https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf)\n",
"text": "JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization",
"id": "java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization",
"name": "java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization."
},
"help": {
"markdown": "When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization)\n - [https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038](https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038)\n - [https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/](https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/)\n",
"text": "When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization",
"id": "java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization",
"name": "java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A8:2017 Insecure Deserialization",
"OWASP-A8:2021 Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Cross-site scripting detected in HttpServletResponse writer with variable \u0027$VAR\u0027. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: \u0027Encode.forHtml($VAR)\u0027."
},
"help": {
"markdown": "Cross-site scripting detected in HttpServletResponse writer with variable \u0027$VAR\u0027. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: \u0027Encode.forHtml($VAR)\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Cross-site scripting detected in HttpServletResponse writer with variable \u0027$VAR\u0027. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: \u0027Encode.forHtml($VAR)\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss",
"id": "java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss",
"name": "java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument."
},
"help": {
"markdown": "Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor)\n - [https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability](https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability)\n",
"text": "Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor",
"id": "java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor",
"name": "java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."
},
"help": {
"markdown": "XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\n",
"text": "XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled",
"id": "java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled",
"name": "java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"LOW CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."
},
"help": {
"markdown": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser)\n",
"text": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe",
"id": "java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe",
"name": "java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"MEDIUM CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON."
},
"help": {
"markdown": "Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization)\n - [https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/](https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/)\n",
"text": "Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization",
"id": "java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization",
"name": "java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Using an arbitrary object (\u0027$PARAMTYPE $PARAM\u0027) with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON."
},
"help": {
"markdown": "Using an arbitrary object (\u0027$PARAMTYPE $PARAM\u0027) with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization)\n - [https://frohoff.github.io/appseccali-marshalling-pickles/](https://frohoff.github.io/appseccali-marshalling-pickles/)\n - [https://book.hacktricks.xyz/network-services-pentesting/1099-pentesting-java-rmi](https://book.hacktricks.xyz/network-services-pentesting/1099-pentesting-java-rmi)\n - [https://youtu.be/t_aw1mDNhzI](https://youtu.be/t_aw1mDNhzI)\n - [https://github.com/qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)\n - [https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L303C4-L331](https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L303C4-L331)\n",
"text": "Using an arbitrary object (\u0027$PARAMTYPE $PARAM\u0027) with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization",
"id": "java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization",
"name": "java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks."
},
"help": {
"markdown": "Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.cookie-issecure-false.cookie-issecure-false)\n - [https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)](https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean))\n - [https://owasp.org/www-community/controls/SecureCookieAttribute](https://owasp.org/www-community/controls/SecureCookieAttribute)\n",
"text": "Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.servlets.security.cookie-issecure-false.cookie-issecure-false",
"id": "java.servlets.security.cookie-issecure-false.cookie-issecure-false",
"name": "java.servlets.security.cookie-issecure-false.cookie-issecure-false",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.servlets.security.cookie-issecure-false.cookie-issecure-false"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."
},
"help": {
"markdown": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spel-injection.spel-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.audit.spel-injection.spel-injection",
"id": "java.spring.security.audit.spel-injection.spel-injection",
"name": "java.spring.security.audit.spel-injection.spel-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.audit.spel-injection.spel-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk."
},
"help": {
"markdown": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled)\n - [https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints)\n - [https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785](https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785)\n - [https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators](https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators)\n",
"text": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled",
"id": "java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled",
"name": "java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "CSRF protection is disabled for this configuration. This is a security risk."
},
"help": {
"markdown": "CSRF protection is disabled for this configuration. This is a security risk.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "CSRF protection is disabled for this configuration. This is a security risk.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled",
"id": "java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled",
"name": "java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."
},
"help": {
"markdown": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-jsp-eval.spring-jsp-eval)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-jsp-eval.spring-jsp-eval",
"id": "java.spring.security.audit.spring-jsp-eval.spring-jsp-eval",
"name": "java.spring.security.audit.spring-jsp-eval.spring-jsp-eval",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.audit.spring-jsp-eval.spring-jsp-eval"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027."
},
"help": {
"markdown": "Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-sqli.spring-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-sqli.spring-sqli",
"id": "java.spring.security.audit.spring-sqli.spring-sqli",
"name": "java.spring.security.audit.spring-sqli.spring-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.audit.spring-sqli.spring-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Application redirects a user to a destination URL specified by a user supplied parameter that is not validated."
},
"help": {
"markdown": "Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect",
"id": "java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect",
"name": "java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."
},
"help": {
"markdown": "Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n",
"text": "Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path",
"id": "java.spring.security.injection.tainted-file-path.tainted-file-path",
"name": "java.spring.security.injection.tainted-file-path.tainted-file-path",
"properties": {
"precision": "very-high",
"tags": [
"CWE-23: Relative Path Traversal",
"HIGH CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.injection.tainted-file-path.tainted-file-path"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data."
},
"help": {
"markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n",
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string",
"id": "java.spring.security.injection.tainted-html-string.tainted-html-string",
"name": "java.spring.security.injection.tainted-html-string.tainted-html-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.injection.tainted-html-string.tainted-html-string"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library."
},
"help": {
"markdown": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html](https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html)\n",
"text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string",
"id": "java.spring.security.injection.tainted-sql-string.tainted-sql-string",
"name": "java.spring.security.injection.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.injection.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can\u0027t run arbitrary commands."
},
"help": {
"markdown": "Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can\u0027t run arbitrary commands.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command)\n - [https://www.stackhawk.com/blog/command-injection-java/](https://www.stackhawk.com/blog/command-injection-java/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\n - [https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java](https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java)\n",
"text": "Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can\u0027t run arbitrary commands.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command",
"id": "java.spring.security.injection.tainted-system-command.tainted-system-command",
"name": "java.spring.security.injection.tainted-system-command.tainted-system-command",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.injection.tainted-system-command.tainted-system-command"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters."
},
"help": {
"markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host",
"id": "java.spring.security.injection.tainted-url-host.tainted-url-host",
"name": "java.spring.security.injection.tainted-url-host.tainted-url-host",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.injection.tainted-url-host.tainted-url-host"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a method annotated with \u0027RequestMapping\u0027 that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the \u0027method\u0027 field and specify the HTTP method (such as \u0027RequestMethod.POST\u0027)."
},
"help": {
"markdown": "Detected a method annotated with \u0027RequestMapping\u0027 that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the \u0027method\u0027 field and specify the HTTP method (such as \u0027RequestMethod.POST\u0027).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping)\n - [https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING](https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING)\n",
"text": "Detected a method annotated with \u0027RequestMapping\u0027 that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the \u0027method\u0027 field and specify the HTTP method (such as \u0027RequestMethod.POST\u0027).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping",
"id": "java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping",
"name": "java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "By setting `allErrors: true` in `Ajv` library, all error objects will be allocated without limit. This allows the attacker to produce a huge number of errors which can lead to denial of service. Do not use `allErrors: true` in production."
},
"help": {
"markdown": "By setting `allErrors: true` in `Ajv` library, all error objects will be allocated without limit. This allows the attacker to produce a huge number of errors which can lead to denial of service. Do not use `allErrors: true` in production.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true)\n - [https://ajv.js.org/options.html#allerrors](https://ajv.js.org/options.html#allerrors)\n",
"text": "By setting `allErrors: true` in `Ajv` library, all error objects will be allocated without limit. This allows the attacker to produce a huge number of errors which can lead to denial of service. Do not use `allErrors: true` in production.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true",
"id": "javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true",
"name": "javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true",
"properties": {
"precision": "very-high",
"tags": [
"CWE-400: Uncontrolled Resource Consumption",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize."
},
"help": {
"markdown": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods)\n - [https://docs.angularjs.org/api/ng/function/angular.element](https://docs.angularjs.org/api/ng/function/angular.element)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods",
"id": "javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods",
"name": "javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize."
},
"help": {
"markdown": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint)\n - [https://docs.angularjs.org/api/ng/function/angular.element](https://docs.angularjs.org/api/ng/function/angular.element)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint",
"id": "javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint",
"name": "javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Use of $window.location.href can lead to open-redirect if user input is used for redirection."
},
"help": {
"markdown": "Use of $window.location.href can lead to open-redirect if user input is used for redirection.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "Use of $window.location.href can lead to open-redirect if user input is used for redirection.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect",
"id": "javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect",
"name": "javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "$sceDelegateProvider allowlisting can introduce security issues if wildcards are used."
},
"help": {
"markdown": "$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading",
"id": "javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading",
"name": "javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities."
},
"help": {
"markdown": "$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled)\n - [https://docs.angularjs.org/api/ng/service/$sce](https://docs.angularjs.org/api/ng/service/$sce)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled",
"id": "javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled",
"name": "javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"HIGH CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API."
},
"help": {
"markdown": "The use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsCss](https://docs.angularjs.org/api/ng/service/$sce#trustAsCss)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "The use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method",
"id": "javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method",
"name": "javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API."
},
"help": {
"markdown": "The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsHtml](https://docs.angularjs.org/api/ng/service/$sce#trustAsHtml)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method",
"id": "javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method",
"name": "javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API."
},
"help": {
"markdown": "The use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "The use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method",
"id": "javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method",
"name": "javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API."
},
"help": {
"markdown": "The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method)\n - [https://docs.angularjs.org/api/ng/service/$sce](https://docs.angularjs.org/api/ng/service/$sce)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method",
"id": "javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method",
"name": "javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API."
},
"help": {
"markdown": "The use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsResourceUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsResourceUrl)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "The use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method",
"id": "javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method",
"name": "javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API."
},
"help": {
"markdown": "The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method",
"id": "javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method",
"name": "javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The use of $translateProvider.translations method can be dangerous if user input is provided to this API."
},
"help": {
"markdown": "The use of $translateProvider.translations method can be dangerous if user input is provided to this API.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
"text": "The use of $translateProvider.translations method can be dangerous if user input is provided to this API.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method",
"id": "javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method",
"name": "javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary."
},
"help": {
"markdown": "User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf)\n - [https://www.cvedetails.com/cve/CVE-2020-28168/](https://www.cvedetails.com/cve/CVE-2020-28168/)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n",
"text": "User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf",
"id": "javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf",
"name": "javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment."
},
"help": {
"markdown": "Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n - [https://eprint.iacr.org/2016/759.pdf](https://eprint.iacr.org/2016/759.pdf)\n - [https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf](https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf)\n - [https://datatracker.ietf.org/doc/html/rfc9106#section-4](https://datatracker.ietf.org/doc/html/rfc9106#section-4)\n",
"text": "Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config",
"id": "javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config",
"name": "javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config",
"properties": {
"precision": "very-high",
"tags": [
"CWE-916: Use of Password Hash With Insufficient Computational Effort",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it\u0027s better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`."
},
"help": {
"markdown": "Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it\u0027s better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization)\n - [https://www.npmjs.com/package/dompurify](https://www.npmjs.com/package/dompurify)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n",
"text": "Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it\u0027s better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization",
"id": "javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization",
"name": "javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs."
},
"help": {
"markdown": "Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.detect-child-process.detect-child-process)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.detect-child-process.detect-child-process",
"id": "javascript.aws-lambda.security.detect-child-process.detect-child-process",
"name": "javascript.aws-lambda.security.detect-child-process.detect-child-process",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.detect-child-process.detect-child-process"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client."
},
"help": {
"markdown": "Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object",
"id": "javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object",
"name": "javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object",
"properties": {
"precision": "very-high",
"tags": [
"CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.knex-sqli.knex-sqli)\n - [https://knexjs.org/#Builder-fromRaw](https://knexjs.org/#Builder-fromRaw)\n - [https://knexjs.org/#Builder-whereRaw](https://knexjs.org/#Builder-whereRaw)\n",
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.knex-sqli.knex-sqli",
"id": "javascript.aws-lambda.security.knex-sqli.knex-sqli",
"name": "javascript.aws-lambda.security.knex-sqli.knex-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.knex-sqli.knex-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.mysql-sqli.mysql-sqli)\n - [https://www.npmjs.com/package/mysql2](https://www.npmjs.com/package/mysql2)\n",
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.mysql-sqli.mysql-sqli",
"id": "javascript.aws-lambda.security.mysql-sqli.mysql-sqli",
"name": "javascript.aws-lambda.security.mysql-sqli.mysql-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.mysql-sqli.mysql-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.pg-sqli.pg-sqli)\n - [https://node-postgres.com/features/queries](https://node-postgres.com/features/queries)\n",
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.pg-sqli.pg-sqli",
"id": "javascript.aws-lambda.security.pg-sqli.pg-sqli",
"name": "javascript.aws-lambda.security.pg-sqli.pg-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.pg-sqli.pg-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query(\u0027SELECT * FROM projects WHERE status = ?\u0027, { replacements: [\u0027active\u0027], type: QueryTypes.SELECT });`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query(\u0027SELECT * FROM projects WHERE status = ?\u0027, { replacements: [\u0027active\u0027], type: QueryTypes.SELECT });`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli)\n - [https://sequelize.org/master/manual/raw-queries.html](https://sequelize.org/master/manual/raw-queries.html)\n",
"text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query(\u0027SELECT * FROM projects WHERE status = ?\u0027, { replacements: [\u0027active\u0027], type: QueryTypes.SELECT });`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli",
"id": "javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli",
"name": "javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources."
},
"help": {
"markdown": "The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.tainted-eval.tainted-eval)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.tainted-eval.tainted-eval",
"id": "javascript.aws-lambda.security.tainted-eval.tainted-eval",
"name": "javascript.aws-lambda.security.tainted-eval.tainted-eval",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.tainted-eval.tainted-eval"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data."
},
"help": {
"markdown": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-response.tainted-html-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-response.tainted-html-response",
"id": "javascript.aws-lambda.security.tainted-html-response.tainted-html-response",
"name": "javascript.aws-lambda.security.tainted-html-response.tainted-html-response",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.tainted-html-response.tainted-html-response"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead."
},
"help": {
"markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-string.tainted-html-string)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-string.tainted-html-string",
"id": "javascript.aws-lambda.security.tainted-html-string.tainted-html-string",
"name": "javascript.aws-lambda.security.tainted-html-string.tainted-html-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.tainted-html-string.tainted-html-string"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions."
},
"help": {
"markdown": "The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection",
"id": "javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection",
"name": "javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Potential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval()"
},
"help": {
"markdown": "Potential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval()\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution)\n - [http://bluebirdjs.com/docs/getting-started.html](http://bluebirdjs.com/docs/getting-started.html)\n",
"text": "Potential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval()\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution",
"id": "javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution",
"name": "javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL."
},
"help": {
"markdown": "Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss)\n - [https://owasp.org/www-community/attacks/DOM_Based_XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS)\n",
"text": "Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss",
"id": "javascript.browser.security.dom-based-xss.dom-based-xss",
"name": "javascript.browser.security.dom-based-xss.dom-based-xss",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.browser.security.dom-based-xss.dom-based-xss"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."
},
"help": {
"markdown": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.eval-detected.eval-detected)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.browser.security.eval-detected.eval-detected",
"id": "javascript.browser.security.eval-detected.eval-detected",
"name": "javascript.browser.security.eval-detected.eval-detected",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.browser.security.eval-detected.eval-detected"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities"
},
"help": {
"markdown": "User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.insecure-document-method.insecure-document-method)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.browser.security.insecure-document-method.insecure-document-method",
"id": "javascript.browser.security.insecure-document-method.insecure-document-method",
"name": "javascript.browser.security.insecure-document-method.insecure-document-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.browser.security.insecure-document-method.insecure-document-method"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "No validation of origin is done by the addEventListener API. It may be possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site Scripting(XSS)."
},
"help": {
"markdown": "No validation of origin is done by the addEventListener API. It may be possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site Scripting(XSS).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
"text": "No validation of origin is done by the addEventListener API. It may be possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site Scripting(XSS).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation",
"id": "javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation",
"name": "javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-345: Insufficient Verification of Data Authenticity",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection."
},
"help": {
"markdown": "The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.open-redirect.js-open-redirect)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n",
"text": "The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.browser.security.open-redirect.js-open-redirect",
"id": "javascript.browser.security.open-redirect.js-open-redirect",
"name": "javascript.browser.security.open-redirect.js-open-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.browser.security.open-redirect.js-open-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User controlled data in a HTML string may result in XSS"
},
"help": {
"markdown": "User controlled data in a HTML string may result in XSS\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat)\n - [https://owasp.org/www-community/attacks/xss/](https://owasp.org/www-community/attacks/xss/)\n",
"text": "User controlled data in a HTML string may result in XSS\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat",
"id": "javascript.browser.security.raw-html-concat.raw-html-concat",
"name": "javascript.browser.security.raw-html-concat.raw-html-concat",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.browser.security.raw-html-concat.raw-html-concat"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The target origin of the window.postMessage() API is set to \"*\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message."
},
"help": {
"markdown": "The target origin of the window.postMessage() API is set to \"*\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
"text": "The target origin of the window.postMessage() API is set to \"*\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration",
"id": "javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration",
"name": "javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration",
"properties": {
"precision": "very-high",
"tags": [
"CWE-345: Insufficient Verification of Data Authenticity",
"MEDIUM CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection)\n - [https://github.com/cyrus-and/chrome-remote-interface](https://github.com/cyrus-and/chrome-remote-interface)\n",
"text": "If unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection",
"id": "javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection",
"name": "javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability."
},
"help": {
"markdown": "Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run)\n - [https://deno.land/manual/examples/subprocess#simple-example](https://deno.land/manual/examples/subprocess#simple-example)\n",
"text": "Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run",
"id": "javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run",
"name": "javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies."
},
"help": {
"markdown": "A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage)\n - [https://www.npmjs.com/package/csurf](https://www.npmjs.com/package/csurf)\n - [https://www.npmjs.com/package/csrf](https://www.npmjs.com/package/csrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage",
"id": "javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage",
"name": "javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource."
},
"help": {
"markdown": "Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing)\n - [https://www.npmjs.com/package/serve-index](https://www.npmjs.com/package/serve-index)\n - [https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/](https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/)\n",
"text": "Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing",
"id": "javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing",
"name": "javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing",
"properties": {
"precision": "very-high",
"tags": [
"CWE-548: Exposure of Information Through Directory Listing",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Don\u2019t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly."
},
"help": {
"markdown": "Don\u2019t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Don\u2019t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name",
"id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name",
"name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next."
},
"help": {
"markdown": "Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain",
"id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain",
"name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies."
},
"help": {
"markdown": "Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires",
"id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires",
"name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks."
},
"help": {
"markdown": "Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly",
"id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly",
"name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request."
},
"help": {
"markdown": "Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path",
"id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path",
"name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS."
},
"help": {
"markdown": "Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure",
"id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure",
"name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function."
},
"help": {
"markdown": "Detected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage)\n - [https://github.com/mmckegg/notevil](https://github.com/mmckegg/notevil)\n",
"text": "Detected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage",
"id": "javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage",
"name": "javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1104: Use of Unmaintained Third Party Components",
"LOW CONFIDENCE",
"OWASP-A06:2021 - Vulnerable and Outdated Components",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option."
},
"help": {
"markdown": "No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked",
"id": "javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked",
"name": "javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected."
},
"help": {
"markdown": "The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-libxml-noent.express-libxml-noent)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n",
"text": "The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-libxml-noent.express-libxml-noent",
"id": "javascript.express.security.audit.express-libxml-noent.express-libxml-noent",
"name": "javascript.express.security.audit.express-libxml-noent.express-libxml-noent",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-libxml-noent.express-libxml-noent"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected use of parseXml() function with the `noent` field set to `true`. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it."
},
"help": {
"markdown": "Detected use of parseXml() function with the `noent` field set to `true`. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n",
"text": "Detected use of parseXml() function with the `noent` field set to `true`. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent",
"id": "javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent",
"name": "javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"LOW CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website."
},
"help": {
"markdown": "The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-open-redirect.express-open-redirect)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n",
"text": "The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-open-redirect.express-open-redirect",
"id": "javascript.express.security.audit.express-open-redirect.express-open-redirect",
"name": "javascript.express.security.audit.express-open-redirect.express-open-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-open-redirect.express-open-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Possible writing outside of the destination, make sure that the target path is nested in the intended destination"
},
"help": {
"markdown": "Possible writing outside of the destination, make sure that the target path is nested in the intended destination\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n",
"text": "Possible writing outside of the destination, make sure that the target path is nested in the intended destination\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal",
"id": "javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal",
"name": "javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing."
},
"help": {
"markdown": "The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)\n",
"text": "The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile",
"id": "javascript.express.security.audit.express-res-sendfile.express-res-sendfile",
"name": "javascript.express.security.audit.express-res-sendfile.express-res-sendfile",
"properties": {
"precision": "very-high",
"tags": [
"CWE-73: External Control of File Name or Path",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-res-sendfile.express-res-sendfile"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret",
"id": "javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret",
"name": "javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. "
},
"help": {
"markdown": "The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf",
"id": "javascript.express.security.audit.express-ssrf.express-ssrf",
"name": "javascript.express.security.audit.express-ssrf.express-ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-ssrf.express-ssrf"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from()."
},
"help": {
"markdown": "The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)\n",
"text": "The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization",
"id": "javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization",
"name": "javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"HIGH CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"
},
"help": {
"markdown": "Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event)\n - [https://www.npmjs.com/package/xml2json](https://www.npmjs.com/package/xml2json)\n",
"text": "Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event",
"id": "javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event",
"name": "javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"MEDIUM CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it\u0027s prototype. Use literal values for object properties."
},
"help": {
"markdown": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it\u0027s prototype. Use literal values for object properties.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection)\n - [https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\n",
"text": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it\u0027s prototype. Use literal values for object properties.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection",
"id": "javascript.express.security.audit.remote-property-injection.remote-property-injection",
"name": "javascript.express.security.audit.remote-property-injection.remote-property-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.remote-property-injection.remote-property-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User controllable data `$REQ` enters `$RES.render(...)` this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be loaded in $RES.render or use an allow list for the existing application."
},
"help": {
"markdown": "User controllable data `$REQ` enters `$RES.render(...)` this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be loaded in $RES.render or use an allow list for the existing application.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.res-render-injection.res-render-injection)\n - [http://expressjs.com/en/4x/api.html#res.render](http://expressjs.com/en/4x/api.html#res.render)\n",
"text": "User controllable data `$REQ` enters `$RES.render(...)` this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be loaded in $RES.render or use an allow list for the existing application.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.res-render-injection.res-render-injection",
"id": "javascript.express.security.audit.res-render-injection.res-render-injection",
"name": "javascript.express.security.audit.res-render-injection.res-render-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-706: Use of Incorrectly-Resolved Name or Reference",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.res-render-injection.res-render-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use \u0027resp.render()\u0027 to render safely escaped HTML."
},
"help": {
"markdown": "Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use \u0027resp.render()\u0027 to render safely escaped HTML.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.direct-response-write.direct-response-write)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n",
"text": "Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use \u0027resp.render()\u0027 to render safely escaped HTML.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.direct-response-write.direct-response-write",
"id": "javascript.express.security.audit.xss.direct-response-write.direct-response-write",
"name": "javascript.express.security.audit.xss.direct-response-write.direct-response-write",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.direct-response-write.direct-response-write"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an explicit unescape in an EJS template, using \u0027\u003c%- ... %\u003e\u0027 If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use \u0027\u003c%= ... %\u003e\u0027 to escape this data. If you need escaping, ensure no external data can reach this location."
},
"help": {
"markdown": "Detected an explicit unescape in an EJS template, using \u0027\u003c%- ... %\u003e\u0027 If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use \u0027\u003c%= ... %\u003e\u0027 to escape this data. If you need escaping, ensure no external data can reach this location.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape)\n - [http://www.managerjs.com/blog/2015/05/will-ejs-escape-save-me-from-xss-sorta/](http://www.managerjs.com/blog/2015/05/will-ejs-escape-save-me-from-xss-sorta/)\n",
"text": "Detected an explicit unescape in an EJS template, using \u0027\u003c%- ... %\u003e\u0027 If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use \u0027\u003c%= ... %\u003e\u0027 to escape this data. If you need escaping, ensure no external data can reach this location.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape",
"id": "javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape",
"name": "javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a template variable used as the \u0027src\u0027 in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the \u0027src\u0027 attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result."
},
"help": {
"markdown": "Detected a template variable used as the \u0027src\u0027 in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the \u0027src\u0027 attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n - [https://github.com/ESAPI/owasp-esapi-js](https://github.com/ESAPI/owasp-esapi-js)\n",
"text": "Detected a template variable used as the \u0027src\u0027 in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the \u0027src\u0027 attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src",
"id": "javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src",
"name": "javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI."
},
"help": {
"markdown": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n - [https://github.com/ESAPI/owasp-esapi-js](https://github.com/ESAPI/owasp-esapi-js)\n",
"text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag",
"id": "javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag",
"name": "javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: \u0027{{{ ... }}}\u0027."
},
"help": {
"markdown": "The Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: \u0027{{{ ... }}}\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite)\n - [https://github.com/janl/mustache.js/#variables](https://github.com/janl/mustache.js/#variables)\n",
"text": "The Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: \u0027{{{ ... }}}\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite",
"id": "javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite",
"name": "javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an explicit unescape in a Mustache template, using triple braces \u0027{{{...}}}\u0027 or ampersand \u0027\u0026\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location."
},
"help": {
"markdown": "Detected an explicit unescape in a Mustache template, using triple braces \u0027{{{...}}}\u0027 or ampersand \u0027\u0026\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape)\n - [https://github.com/janl/mustache.js/#variables](https://github.com/janl/mustache.js/#variables)\n - [https://ractive.js.org/v0.x/0.7/mustaches#variables](https://ractive.js.org/v0.x/0.7/mustaches#variables)\n",
"text": "Detected an explicit unescape in a Mustache template, using triple braces \u0027{{{...}}}\u0027 or ampersand \u0027\u0026\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape",
"id": "javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape",
"name": "javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a unescaped variables using \u0027\u0026attributes\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location."
},
"help": {
"markdown": "Detected a unescaped variables using \u0027\u0026attributes\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes)\n - [https://pugjs.org/language/attributes.html#attributes](https://pugjs.org/language/attributes.html#attributes)\n",
"text": "Detected a unescaped variables using \u0027\u0026attributes\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes",
"id": "javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes",
"name": "javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an explicit unescape in a Pug template, using either \u0027!=\u0027 or \u0027!{...}\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location."
},
"help": {
"markdown": "Detected an explicit unescape in a Pug template, using either \u0027!=\u0027 or \u0027!{...}\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape)\n - [https://pugjs.org/language/code.html#unescaped-buffered-code](https://pugjs.org/language/code.html#unescaped-buffered-code)\n - [https://pugjs.org/language/attributes.html#unescaped-attributes](https://pugjs.org/language/attributes.html#unescaped-attributes)\n",
"text": "Detected an explicit unescape in a Pug template, using either \u0027!=\u0027 or \u0027!{...}\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape",
"id": "javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape",
"name": "javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: a(href=\u0027/\u0027+url). You may also consider setting the Content Security Policy (CSP) header."
},
"help": {
"markdown": "Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: a(href=\u0027/\u0027+url). You may also consider setting the Content Security Policy (CSP) header.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.pug.var-in-href.var-in-href)\n - [https://github.com/pugjs/pug/issues/2952](https://github.com/pugjs/pug/issues/2952)\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI)\n",
"text": "Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: a(href=\u0027/\u0027+url). You may also consider setting the Content Security Policy (CSP) header.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.pug.var-in-href.var-in-href",
"id": "javascript.express.security.audit.xss.pug.var-in-href.var-in-href",
"name": "javascript.express.security.audit.xss.pug.var-in-href.var-in-href",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.pug.var-in-href.var-in-href"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI."
},
"help": {
"markdown": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n - [https://github.com/ESAPI/owasp-esapi-js](https://github.com/ESAPI/owasp-esapi-js)\n",
"text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag",
"id": "javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag",
"name": "javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings."
},
"help": {
"markdown": "By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.cors-misconfiguration.cors-misconfiguration)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)\n",
"text": "By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.cors-misconfiguration.cors-misconfiguration",
"id": "javascript.express.security.cors-misconfiguration.cors-misconfiguration",
"name": "javascript.express.security.cors-misconfiguration.cors-misconfiguration",
"properties": {
"precision": "very-high",
"tags": [
"CWE-346: Origin Validation Error",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.cors-misconfiguration.cors-misconfiguration"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability."
},
"help": {
"markdown": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-data-exfiltration.express-data-exfiltration)\n - [https://en.wikipedia.org/wiki/Mass_assignment_vulnerability](https://en.wikipedia.org/wiki/Mass_assignment_vulnerability)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\n",
"text": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-data-exfiltration.express-data-exfiltration",
"id": "javascript.express.security.express-data-exfiltration.express-data-exfiltration",
"name": "javascript.express.security.express-data-exfiltration.express-data-exfiltration",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-data-exfiltration.express-data-exfiltration"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities."
},
"help": {
"markdown": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe)\n - [https://github.com/astro/node-expat](https://github.com/astro/node-expat)\n",
"text": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe",
"id": "javascript.express.security.express-expat-xxe.express-expat-xxe",
"name": "javascript.express.security.express-expat-xxe.express-expat-xxe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"MEDIUM CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-expat-xxe.express-expat-xxe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability."
},
"help": {
"markdown": "User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-insecure-template-usage.express-insecure-template-usage)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n",
"text": "User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-insecure-template-usage.express-insecure-template-usage",
"id": "javascript.express.security.express-insecure-template-usage.express-insecure-template-usage",
"name": "javascript.express.security.express-insecure-template-usage.express-insecure-template-usage",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-insecure-template-usage.express-insecure-template-usage"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret",
"id": "javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret",
"name": "javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-phantom-injection.express-phantom-injection)\n - [https://phantomjs.org/page-automation.html](https://phantomjs.org/page-automation.html)\n",
"text": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-phantom-injection.express-phantom-injection",
"id": "javascript.express.security.express-phantom-injection.express-phantom-injection",
"name": "javascript.express.security.express-phantom-injection.express-phantom-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-phantom-injection.express-phantom-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-puppeteer-injection.express-puppeteer-injection)\n - [https://pptr.dev/api/puppeteer.page](https://pptr.dev/api/puppeteer.page)\n",
"text": "If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-puppeteer-injection.express-puppeteer-injection",
"id": "javascript.express.security.express-puppeteer-injection.express-puppeteer-injection",
"name": "javascript.express.security.express-puppeteer-injection.express-puppeteer-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-puppeteer-injection.express-puppeteer-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Make sure that unverified user data can not reach `sandbox`."
},
"help": {
"markdown": "Make sure that unverified user data can not reach `sandbox`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-sandbox-injection.express-sandbox-code-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n",
"text": "Make sure that unverified user data can not reach `sandbox`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-sandbox-injection.express-sandbox-code-injection",
"id": "javascript.express.security.express-sandbox-injection.express-sandbox-code-injection",
"name": "javascript.express.security.express-sandbox-injection.express-sandbox-code-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-sandbox-injection.express-sandbox-code-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Make sure that unverified user data can not reach `$VM`."
},
"help": {
"markdown": "Make sure that unverified user data can not reach `$VM`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-vm-injection.express-vm-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n",
"text": "Make sure that unverified user data can not reach `$VM`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-vm-injection.express-vm-injection",
"id": "javascript.express.security.express-vm-injection.express-vm-injection",
"name": "javascript.express.security.express-vm-injection.express-vm-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-vm-injection.express-vm-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Make sure that unverified user data can not reach `vm2`."
},
"help": {
"markdown": "Make sure that unverified user data can not reach `vm2`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n",
"text": "Make sure that unverified user data can not reach `vm2`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection",
"id": "javascript.express.security.express-vm2-injection.express-vm2-injection",
"name": "javascript.express.security.express-vm2-injection.express-vm2-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-vm2-injection.express-vm2-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection)\n - [https://www.npmjs.com/package/wkhtmltopdf](https://www.npmjs.com/package/wkhtmltopdf)\n",
"text": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection",
"id": "javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection",
"name": "javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "If unverified user data can reach the `wkhtmltopdf` methods it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `wkhtmltopdf` methods it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection)\n - [https://www.npmjs.com/package/wkhtmltopdf](https://www.npmjs.com/package/wkhtmltopdf)\n",
"text": "If unverified user data can reach the `wkhtmltopdf` methods it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection",
"id": "javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection",
"name": "javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"
},
"help": {
"markdown": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe)\n - [https://www.npmjs.com/package/xml2json](https://www.npmjs.com/package/xml2json)\n",
"text": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe",
"id": "javascript.express.security.express-xml2json-xxe.express-xml2json-xxe",
"name": "javascript.express.security.express-xml2json-xxe.express-xml2json-xxe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"MEDIUM CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.express-xml2json-xxe.express-xml2json-xxe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within."
},
"help": {
"markdown": "User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.injection.raw-html-format.raw-html-format)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n",
"text": "User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.injection.raw-html-format.raw-html-format",
"id": "javascript.express.security.injection.raw-html-format.raw-html-format",
"name": "javascript.express.security.injection.raw-html-format.raw-html-format",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.injection.raw-html-format.raw-html-format"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server."
},
"help": {
"markdown": "If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.require-request.require-request)\n - [https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it](https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it)\n",
"text": "If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.require-request.require-request",
"id": "javascript.express.security.require-request.require-request",
"name": "javascript.express.security.require-request.require-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-706: Use of Incorrectly-Resolved Name or Reference",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.require-request.require-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`."
},
"help": {
"markdown": "By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)\n",
"text": "By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration",
"id": "javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration",
"name": "javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration",
"properties": {
"precision": "very-high",
"tags": [
"CWE-451: User Interface (UI) Misrepresentation of Critical Information",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities"
},
"help": {
"markdown": "User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup",
"id": "javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup",
"name": "javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine."
},
"help": {
"markdown": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection)\n - [https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security](https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security)\n",
"text": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection",
"id": "javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection",
"name": "javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile"
},
"help": {
"markdown": "Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash)\n - [https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile](https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile)\n",
"text": "Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash",
"id": "javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash",
"name": "javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload."
},
"help": {
"markdown": "The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data",
"id": "javascript.jose.security.audit.jose-exposed-data.jose-exposed-data",
"name": "javascript.jose.security.audit.jose-exposed-data.jose-exposed-data",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.jose.security.audit.jose-exposed-data.jose-exposed-data"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret",
"id": "javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret",
"name": "javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027."
},
"help": {
"markdown": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg",
"id": "javascript.jose.security.jwt-none-alg.jwt-none-alg",
"name": "javascript.jose.security.jwt-none-alg.jwt-none-alg",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.jose.security.jwt-none-alg.jwt-none-alg"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token."
},
"help": {
"markdown": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
"text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify",
"id": "javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify",
"name": "javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify",
"properties": {
"precision": "very-high",
"tags": [
"CWE-345: Insufficient Verification of Data Authenticity",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload."
},
"help": {
"markdown": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data",
"id": "javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data",
"name": "javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret",
"id": "javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret",
"name": "javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027."
},
"help": {
"markdown": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg",
"id": "javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg",
"name": "javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set \u0027verify\u0027 to `true` before using the token."
},
"help": {
"markdown": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set \u0027verify\u0027 to `true` before using the token.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify)\n - [https://www.npmjs.com/package/jwt-simple](https://www.npmjs.com/package/jwt-simple)\n - [https://cwe.mitre.org/data/definitions/287](https://cwe.mitre.org/data/definitions/287)\n - [https://cwe.mitre.org/data/definitions/345](https://cwe.mitre.org/data/definitions/345)\n - [https://cwe.mitre.org/data/definitions/347](https://cwe.mitre.org/data/definitions/347)\n",
"text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set \u0027verify\u0027 to `true` before using the token.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify",
"id": "javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify",
"name": "javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"CWE-345: Insufficient Verification of Data Authenticity",
"CWE-347: Improper Verification of Cryptographic Signature",
"HIGH CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible."
},
"help": {
"markdown": "Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.code-string-concat.code-string-concat)\n - [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval)\n - [https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback](https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback)\n - [https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/](https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/)\n - [https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html](https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html)\n",
"text": "Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.code-string-concat.code-string-concat",
"id": "javascript.lang.security.audit.code-string-concat.code-string-concat",
"name": "javascript.lang.security.audit.code-string-concat.code-string-concat",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.code-string-concat.code-string-concat"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability."
},
"help": {
"markdown": "Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions)\n",
"text": "Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell",
"id": "javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell",
"name": "javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS."
},
"help": {
"markdown": "RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n",
"text": "RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"id": "javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"name": "javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1333: Inefficient Regular Expression Complexity",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable."
},
"help": {
"markdown": "Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key)\n - [https://rules.sonarsource.com/javascript/RSPEC-2068](https://rules.sonarsource.com/javascript/RSPEC-2068)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#key-management](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#key-management)\n",
"text": "Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key",
"id": "javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key",
"name": "javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "`$STR.replace` method will only replace the first occurrence when used with a string argument ($CHAR). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag."
},
"help": {
"markdown": "`$STR.replace` method will only replace the first occurrence when used with a string argument ($CHAR). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "`$STR.replace` method will only replace the first occurrence when used with a string argument ($CHAR). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization",
"id": "javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization",
"name": "javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-116: Improper Encoding or Escaping of Output",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` node.js package."
},
"help": {
"markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` node.js package.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://www.npmjs.com/package/bcrypt](https://www.npmjs.com/package/bcrypt)\n",
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` node.js package.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.md5-used-as-password.md5-used-as-password",
"id": "javascript.lang.security.audit.md5-used-as-password.md5-used-as-password",
"name": "javascript.lang.security.audit.md5-used-as-password.md5-used-as-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.md5-used-as-password.md5-used-as-password"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first."
},
"help": {
"markdown": "Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n",
"text": "Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal",
"id": "javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal",
"name": "javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object."
},
"help": {
"markdown": "Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop)\n - [https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n",
"text": "Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop",
"id": "javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop",
"name": "javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found \u0027$SPAWN\u0027 with \u0027{shell: $SHELL}\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027{shell: false}\u0027 instead."
},
"help": {
"markdown": "Found \u0027$SPAWN\u0027 with \u0027{shell: $SHELL}\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027{shell: false}\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.spawn-shell-true.spawn-shell-true)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Found \u0027$SPAWN\u0027 with \u0027{shell: $SHELL}\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027{shell: false}\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.spawn-shell-true.spawn-shell-true",
"id": "javascript.lang.security.audit.spawn-shell-true.spawn-shell-true",
"name": "javascript.lang.security.audit.spawn-shell-true.spawn-shell-true",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.spawn-shell-true.spawn-shell-true"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])` can help prevent SQLi."
},
"help": {
"markdown": "Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])` can help prevent SQLi.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli)\n - [https://knexjs.org/#Builder-fromRaw](https://knexjs.org/#Builder-fromRaw)\n - [https://knexjs.org/#Builder-whereRaw](https://knexjs.org/#Builder-whereRaw)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n",
"text": "Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])` can help prevent SQLi.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli",
"id": "javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli",
"name": "javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input(\u0027USER_ID\u0027, mssql.Int, id);`"
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input(\u0027USER_ID\u0027, mssql.Int, id);`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli)\n - [https://www.npmjs.com/package/mssql](https://www.npmjs.com/package/mssql)\n",
"text": "Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input(\u0027USER_ID\u0027, mssql.Int, id);`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli",
"id": "javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli",
"name": "javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."
},
"help": {
"markdown": "Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli)\n - [https://www.npmjs.com/package/mysql2](https://www.npmjs.com/package/mysql2)\n - [https://www.npmjs.com/package/mysql](https://www.npmjs.com/package/mysql)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n",
"text": "Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli",
"id": "javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli",
"name": "javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a node-postgres JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `client.query(\u0027SELECT $1 from table\u0027, [userinput])`"
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a node-postgres JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `client.query(\u0027SELECT $1 from table\u0027, [userinput])`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli)\n - [https://node-postgres.com/features/queries](https://node-postgres.com/features/queries)\n",
"text": "Detected string concatenation with a non-literal variable in a node-postgres JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `client.query(\u0027SELECT $1 from table\u0027, [userinput])`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli",
"id": "javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli",
"name": "javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Cannot determine what \u0027$UNK\u0027 is and it is used with a \u0027\u003cscript\u003e\u0027 tag. This could be susceptible to cross-site scripting (XSS). Ensure \u0027$UNK\u0027 is not externally controlled, or sanitize this data."
},
"help": {
"markdown": "Cannot determine what \u0027$UNK\u0027 is and it is used with a \u0027\u003cscript\u003e\u0027 tag. This could be susceptible to cross-site scripting (XSS). Ensure \u0027$UNK\u0027 is not externally controlled, or sanitize this data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag)\n - [https://www.developsec.com/2017/11/09/xss-in-a-script-tag/](https://www.developsec.com/2017/11/09/xss-in-a-script-tag/)\n - [https://github.com/juice-shop/juice-shop/blob/1ceb8751e986dacd3214a618c37e7411be6bc11a/routes/videoHandler.ts#L68](https://github.com/juice-shop/juice-shop/blob/1ceb8751e986dacd3214a618c37e7411be6bc11a/routes/videoHandler.ts#L68)\n",
"text": "Cannot determine what \u0027$UNK\u0027 is and it is used with a \u0027\u003cscript\u003e\u0027 tag. This could be susceptible to cross-site scripting (XSS). Ensure \u0027$UNK\u0027 is not externally controlled, or sanitize this data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag",
"id": "javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag",
"name": "javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string."
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring)\n - [https://cwe.mitre.org/data/definitions/134.html](https://cwe.mitre.org/data/definitions/134.html)\n",
"text": "Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring",
"id": "javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring",
"name": "javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring",
"properties": {
"precision": "very-high",
"tags": [
"CWE-134: Use of Externally-Controlled Format String",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer."
},
"help": {
"markdown": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert)\n - [https://cwe.mitre.org/data/definitions/119.html](https://cwe.mitre.org/data/definitions/119.html)\n",
"text": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert",
"id": "javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert",
"name": "javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert",
"properties": {
"precision": "very-high",
"tags": [
"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. "
},
"help": {
"markdown": "Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. \n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-child-process.detect-child-process)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions)\n",
"text": "Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. \n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-child-process.detect-child-process",
"id": "javascript.lang.security.detect-child-process.detect-child-process",
"name": "javascript.lang.security.detect-child-process.detect-child-process",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.detect-child-process.detect-child-process"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks."
},
"help": {
"markdown": "Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape",
"id": "javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape",
"name": "javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape",
"properties": {
"precision": "very-high",
"tags": [
"CWE-116: Improper Encoding or Escaping of Output",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input."
},
"help": {
"markdown": "Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression)\n - [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)\n",
"text": "Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression",
"id": "javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression",
"name": "javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections."
},
"help": {
"markdown": "Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket",
"id": "javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket",
"name": "javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later."
},
"help": {
"markdown": "Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override)\n - [https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/bypass-connect-csrf-protection-by-abusing.md](https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/bypass-connect-csrf-protection-by-abusing.md)\n",
"text": "Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override",
"id": "javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override",
"name": "javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers."
},
"help": {
"markdown": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes",
"id": "javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes",
"name": "javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes",
"properties": {
"precision": "very-high",
"tags": [
"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability."
},
"help": {
"markdown": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\n - [https://en.wikipedia.org/wiki/Mass_assignment_vulnerability](https://en.wikipedia.org/wiki/Mass_assignment_vulnerability)\n",
"text": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign",
"id": "javascript.lang.security.insecure-object-assign.insecure-object-assign",
"name": "javascript.lang.security.insecure-object-assign.insecure-object-assign",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.insecure-object-assign.insecure-object-assign"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone \u0027ext::sh -c whoami% \u003e\u00262\u0027 will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input."
},
"help": {
"markdown": "Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone \u0027ext::sh -c whoami% \u003e\u00262\u0027 will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.spawn-git-clone.spawn-git-clone)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone \u0027ext::sh -c whoami% \u003e\u00262\u0027 will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.lang.security.spawn-git-clone.spawn-git-clone",
"id": "javascript.lang.security.spawn-git-clone.spawn-git-clone",
"name": "javascript.lang.security.spawn-git-clone.spawn-git-clone",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.lang.security.spawn-git-clone.spawn-git-clone"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input."
},
"help": {
"markdown": "If user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport)\n - [https://github.com/microsoft/monaco-editor/issues/801](https://github.com/microsoft/monaco-editor/issues/801)\n",
"text": "If user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport",
"id": "javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport",
"name": "javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The \u0027final\u0027 call of a Decipher object checks the authentication tag in a mode for authenticated encryption. Failing to call \u0027final\u0027 will invalidate all integrity guarantees of the released ciphertext."
},
"help": {
"markdown": "The \u0027final\u0027 call of a Decipher object checks the authentication tag in a mode for authenticated encryption. Failing to call \u0027final\u0027 will invalidate all integrity guarantees of the released ciphertext.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.aead-no-final.aead-no-final)\n - [https://nodejs.org/api/crypto.html#deciphersetauthtagbuffer-encoding](https://nodejs.org/api/crypto.html#deciphersetauthtagbuffer-encoding)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n",
"text": "The \u0027final\u0027 call of a Decipher object checks the authentication tag in a mode for authenticated encryption. Failing to call \u0027final\u0027 will invalidate all integrity guarantees of the released ciphertext.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.node-crypto.security.aead-no-final.aead-no-final",
"id": "javascript.node-crypto.security.aead-no-final.aead-no-final",
"name": "javascript.node-crypto.security.aead-no-final.aead-no-final",
"properties": {
"precision": "very-high",
"tags": [
"CWE-310: CWE CATEGORY: Cryptographic Issues",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.node-crypto.security.aead-no-final.aead-no-final"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The deprecated functions \u0027createCipher\u0027 and \u0027createDecipher\u0027 generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they\u0027re not completely broken. Use \u0027createCipheriv\u0027 or \u0027createDecipheriv\u0027 instead."
},
"help": {
"markdown": "The deprecated functions \u0027createCipher\u0027 and \u0027createDecipher\u0027 generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they\u0027re not completely broken. Use \u0027createCipheriv\u0027 or \u0027createDecipheriv\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv)\n - [https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options)\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options)\n",
"text": "The deprecated functions \u0027createCipher\u0027 and \u0027createDecipher\u0027 generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they\u0027re not completely broken. Use \u0027createCipheriv\u0027 or \u0027createDecipheriv\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv",
"id": "javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv",
"name": "javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1204: Generation of Weak Initialization Vector (IV)",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The call to \u0027createDecipheriv\u0027 with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries."
},
"help": {
"markdown": "The call to \u0027createDecipheriv\u0027 with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length)\n - [https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/](https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/)\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options](https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n",
"text": "The call to \u0027createDecipheriv\u0027 with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length",
"id": "javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length",
"name": "javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length",
"properties": {
"precision": "very-high",
"tags": [
"CWE-310: CWE CATEGORY: Cryptographic Issues",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
"text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe",
"id": "javascript.node-expat.security.audit.expat-xxe.expat-xxe",
"name": "javascript.node-expat.security.audit.expat-xxe.expat-xxe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"LOW CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.node-expat.security.audit.expat-xxe.expat-xxe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret",
"id": "javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret",
"name": "javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection",
"id": "javascript.phantom.security.audit.phantom-injection.phantom-injection",
"name": "javascript.phantom.security.audit.phantom-injection.phantom-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.phantom.security.audit.phantom-injection.phantom-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection",
"id": "javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection",
"name": "javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection",
"id": "javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection",
"name": "javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection",
"id": "javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection",
"name": "javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk."
},
"help": {
"markdown": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools",
"id": "javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools",
"name": "javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection",
"id": "javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection",
"name": "javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection",
"id": "javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection",
"name": "javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection",
"id": "javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection",
"name": "javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection",
"id": "javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection",
"name": "javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk."
},
"help": {
"markdown": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools",
"id": "javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools",
"name": "javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection",
"id": "javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection",
"name": "javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection",
"id": "javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection",
"name": "javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Make sure that unverified user data can not reach `sandbox`."
},
"help": {
"markdown": "Make sure that unverified user data can not reach `sandbox`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Make sure that unverified user data can not reach `sandbox`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection",
"id": "javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection",
"name": "javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use of \u0027ondoctype\u0027 in \u0027sax\u0027 library detected. By default, \u0027sax\u0027 won\u0027t do anything with custom DTD entity definitions. If you\u0027re implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML."
},
"help": {
"markdown": "Use of \u0027ondoctype\u0027 in \u0027sax\u0027 library detected. By default, \u0027sax\u0027 won\u0027t do anything with custom DTD entity definitions. If you\u0027re implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sax.security.audit.sax-xxe.sax-xxe)\n - [https://github.com/Leonidas-from-XIV/node-xml2js/issues/415](https://github.com/Leonidas-from-XIV/node-xml2js/issues/415)\n - [https://github.com/isaacs/sax-js](https://github.com/isaacs/sax-js)\n",
"text": "Use of \u0027ondoctype\u0027 in \u0027sax\u0027 library detected. By default, \u0027sax\u0027 won\u0027t do anything with custom DTD entity definitions. If you\u0027re implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.sax.security.audit.sax-xxe.sax-xxe",
"id": "javascript.sax.security.audit.sax-xxe.sax-xxe",
"name": "javascript.sax.security.audit.sax-xxe.sax-xxe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"LOW CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.sax.security.audit.sax-xxe.sax-xxe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\""
},
"help": {
"markdown": "If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\"\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n - [https://nodejs.org/api/tls.html#tls_tls_default_min_version](https://nodejs.org/api/tls.html#tls_tls_default_min_version)\n",
"text": "If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\"\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls",
"id": "javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls",
"name": "javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."
},
"help": {
"markdown": "Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection)\n - [https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements](https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements)\n",
"text": "Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection",
"id": "javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection",
"name": "javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious."
},
"help": {
"markdown": "Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n",
"text": "Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation",
"id": "javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation",
"name": "javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious."
},
"help": {
"markdown": "TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n - [https://nodejs.org/api/tls.html#tls_tls_default_min_version](https://nodejs.org/api/tls.html#tls_tls_default_min_version)\n",
"text": "TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version",
"id": "javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version",
"name": "javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "`serialize-javascript` used with `unsafe` parameter, this could be vulnerable to XSS."
},
"help": {
"markdown": "`serialize-javascript` used with `unsafe` parameter, this could be vulnerable to XSS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "`serialize-javascript` used with `unsafe` parameter, this could be vulnerable to XSS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript",
"id": "javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript",
"name": "javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript",
"properties": {
"precision": "very-high",
"tags": [
"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "If unverified user data can reach the `exec` method it can result in Remote Code Execution"
},
"help": {
"markdown": "If unverified user data can reach the `exec` method it can result in Remote Code Execution\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "If unverified user data can reach the `exec` method it can result in Remote Code Execution\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection",
"id": "javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection",
"name": "javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Potential arbitrary code execution, piped to eval"
},
"help": {
"markdown": "Potential arbitrary code execution, piped to eval\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Potential arbitrary code execution, piped to eval\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution",
"id": "javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution",
"name": "javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Make sure that unverified user data can not reach `vm2`."
},
"help": {
"markdown": "Make sure that unverified user data can not reach `vm2`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Make sure that unverified user data can not reach `vm2`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection",
"id": "javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection",
"name": "javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Make sure that unverified user data can not reach `vm2`."
},
"help": {
"markdown": "Make sure that unverified user data can not reach `vm2`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Make sure that unverified user data can not reach `vm2`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection",
"id": "javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection",
"name": "javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content."
},
"help": {
"markdown": "Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html)\n - [https://vuejs.org/v2/guide/syntax.html#Raw-HTML](https://vuejs.org/v2/guide/syntax.html#Raw-HTML)\n",
"text": "Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html",
"id": "javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html",
"name": "javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `wkhtmltoimage` it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `wkhtmltoimage` it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `wkhtmltoimage` it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection",
"id": "javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection",
"name": "javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection",
"id": "javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection",
"name": "javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"
},
"help": {
"markdown": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
"text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe",
"id": "javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe",
"name": "javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"LOW CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values."
},
"help": {
"markdown": "Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)\n",
"text": "Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket",
"id": "json.aws.security.public-s3-bucket.public-s3-bucket",
"name": "json.aws.security.public-s3-bucket.public-s3-bucket",
"properties": {
"precision": "very-high",
"tags": [
"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: json.aws.security.public-s3-bucket.public-s3-bucket"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket."
},
"help": {
"markdown": "Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.public-s3-policy-statement.public-s3-policy-statement)\n - [https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html)\n",
"text": "Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/json.aws.security.public-s3-policy-statement.public-s3-policy-statement",
"id": "json.aws.security.public-s3-policy-statement.public-s3-policy-statement",
"name": "json.aws.security.public-s3-policy-statement.public-s3-policy-statement",
"properties": {
"precision": "very-high",
"tags": [
"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: json.aws.security.public-s3-policy-statement.public-s3-policy-statement"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`."
},
"help": {
"markdown": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role)\n - [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/)\n",
"text": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role",
"id": "json.aws.security.wildcard-assume-role.wildcard-assume-role",
"name": "json.aws.security.wildcard-assume-role.wildcard-assume-role",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: json.aws.security.wildcard-assume-role.wildcard-assume-role"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."
},
"help": {
"markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded",
"id": "kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded",
"name": "kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information."
},
"help": {
"markdown": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind",
"id": "kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind",
"name": "kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\"%02X\", ...)\u0027 instead."
},
"help": {
"markdown": "\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\"%02X\", ...)\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion)\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\n",
"text": "\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\"%02X\", ...)\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion",
"id": "kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion",
"name": "kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion",
"properties": {
"precision": "very-high",
"tags": [
"CWE-704: Incorrect Type Conversion or Cast",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."
},
"help": {
"markdown": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call",
"id": "kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call",
"name": "kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027"
},
"help": {
"markdown": "A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
"text": "A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly",
"id": "kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly",
"name": "kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027"
},
"help": {
"markdown": "A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
"text": "A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag",
"id": "kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag",
"name": "kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2."
},
"help": {
"markdown": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated",
"id": "kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated",
"name": "kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY."
},
"help": {
"markdown": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.ecb-cipher.ecb-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.ecb-cipher.ecb-cipher",
"id": "kotlin.lang.security.ecb-cipher.ecb-cipher",
"name": "kotlin.lang.security.ecb-cipher.ecb-cipher",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.ecb-cipher.ecb-cipher"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted."
},
"help": {
"markdown": "GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.gcm-detection.gcm-detection)\n - [https://cwe.mitre.org/data/definitions/323.html](https://cwe.mitre.org/data/definitions/323.html)\n",
"text": "GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.gcm-detection.gcm-detection",
"id": "kotlin.lang.security.gcm-detection.gcm-detection",
"name": "kotlin.lang.security.gcm-detection.gcm-detection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-323: Reusing a Nonce, Key Pair in Encryption",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.gcm-detection.gcm-detection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
},
"help": {
"markdown": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher",
"id": "kotlin.lang.security.no-null-cipher.no-null-cipher",
"name": "kotlin.lang.security.no-null-cipher.no-null-cipher",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.no-null-cipher.no-null-cipher"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead"
},
"help": {
"markdown": "This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket",
"id": "kotlin.lang.security.unencrypted-socket.unencrypted-socket",
"name": "kotlin.lang.security.unencrypted-socket.unencrypted-socket",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.unencrypted-socket.unencrypted-socket"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
},
"help": {
"markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5",
"id": "kotlin.lang.security.use-of-md5.use-of-md5",
"name": "kotlin.lang.security.use-of-md5.use-of-md5",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.use-of-md5.use-of-md5"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
},
"help": {
"markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.use-of-sha1.use-of-sha1)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.use-of-sha1.use-of-sha1",
"id": "kotlin.lang.security.use-of-sha1.use-of-sha1",
"name": "kotlin.lang.security.use-of-sha1.use-of-sha1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.use-of-sha1.use-of-sha1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "RSA keys should be at least 2048 bits based on NIST recommendation."
},
"help": {
"markdown": "RSA keys should be at least 2048 bits based on NIST recommendation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.weak-rsa.use-of-weak-rsa-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n",
"text": "RSA keys should be at least 2048 bits based on NIST recommendation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/kotlin.lang.security.weak-rsa.use-of-weak-rsa-key",
"id": "kotlin.lang.security.weak-rsa.use-of-weak-rsa-key",
"name": "kotlin.lang.security.weak-rsa.use-of-weak-rsa-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: kotlin.lang.security.weak-rsa.use-of-weak-rsa-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Pervasives is deprecated and will not be available after 4.10. Use Stdlib."
},
"help": {
"markdown": "Pervasives is deprecated and will not be available after 4.10. Use Stdlib.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.compatibility.deprecated.deprecated-pervasives)\n",
"text": "Pervasives is deprecated and will not be available after 4.10. Use Stdlib.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ocaml.lang.compatibility.deprecated.deprecated-pervasives",
"id": "ocaml.lang.compatibility.deprecated.deprecated-pervasives",
"name": "ocaml.lang.compatibility.deprecated.deprecated-pervasives",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: ocaml.lang.compatibility.deprecated.deprecated-pervasives"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027input_line\u0027 leaves a \u0027\\r\u0027 (CR) character when reading lines from a Windows text file, whose lines end in \"\\r\\n\" (CRLF). This is a problem for any Windows file that is being read either on a Unix-like platform or on Windows in binary mode. If the code already takes care of removing any trailing \u0027\\r\u0027 after reading the line, add a \u0027(* nosemgrep *)\u0027 comment to disable this warning."
},
"help": {
"markdown": "\u0027input_line\u0027 leaves a \u0027\\r\u0027 (CR) character when reading lines from a Windows text file, whose lines end in \"\\r\\n\" (CRLF). This is a problem for any Windows file that is being read either on a Unix-like platform or on Windows in binary mode. If the code already takes care of removing any trailing \u0027\\r\u0027 after reading the line, add a \u0027(* nosemgrep *)\u0027 comment to disable this warning.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.crlf-support.broken-input-line)\n",
"text": "\u0027input_line\u0027 leaves a \u0027\\r\u0027 (CR) character when reading lines from a Windows text file, whose lines end in \"\\r\\n\" (CRLF). This is a problem for any Windows file that is being read either on a Unix-like platform or on Windows in binary mode. If the code already takes care of removing any trailing \u0027\\r\u0027 after reading the line, add a \u0027(* nosemgrep *)\u0027 comment to disable this warning.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ocaml.lang.portability.crlf-support.broken-input-line",
"id": "ocaml.lang.portability.crlf-support.broken-input-line",
"name": "ocaml.lang.portability.crlf-support.broken-input-line",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: ocaml.lang.portability.crlf-support.broken-input-line"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027open_in\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_in_bin\u0027 or \u0027open_in_gen [Open_binary]\u0027. If you really want CRLF-to-LF translations to take place when running on Windows, use \u0027open_in_gen [Open_text]\u0027."
},
"help": {
"markdown": "\u0027open_in\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_in_bin\u0027 or \u0027open_in_gen [Open_binary]\u0027. If you really want CRLF-to-LF translations to take place when running on Windows, use \u0027open_in_gen [Open_text]\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode)\n",
"text": "\u0027open_in\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_in_bin\u0027 or \u0027open_in_gen [Open_binary]\u0027. If you really want CRLF-to-LF translations to take place when running on Windows, use \u0027open_in_gen [Open_text]\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode",
"id": "ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode",
"name": "ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027open_out\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_out_bin\u0027 or \u0027open_out_gen [Open_binary]\u0027. If you really want LF-to-CRLF translations to take place when running on Windows, use \u0027open_out_gen [Open_text]\u0027."
},
"help": {
"markdown": "\u0027open_out\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_out_bin\u0027 or \u0027open_out_gen [Open_binary]\u0027. If you really want LF-to-CRLF translations to take place when running on Windows, use \u0027open_out_gen [Open_text]\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode)\n",
"text": "\u0027open_out\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_out_bin\u0027 or \u0027open_out_gen [Open_binary]\u0027. If you really want LF-to-CRLF translations to take place when running on Windows, use \u0027open_out_gen [Open_text]\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode",
"id": "ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode",
"name": "ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "You should probably use Filename.get_temp_dirname()."
},
"help": {
"markdown": "You should probably use Filename.get_temp_dirname().\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string)\n",
"text": "You should probably use Filename.get_temp_dirname().\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string",
"id": "ocaml.lang.portability.slash-tmp.not-portable-tmp-string",
"name": "ocaml.lang.portability.slash-tmp.not-portable-tmp-string",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: ocaml.lang.portability.slash-tmp.not-portable-tmp-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Unsafe functions do not perform boundary checks or have other side effects, use with care."
},
"help": {
"markdown": "Unsafe functions do not perform boundary checks or have other side effects, use with care.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.security.unsafe.ocamllint-unsafe)\n - [https://v2.ocaml.org/api/Bigarray.Array1.html#VALunsafe_get](https://v2.ocaml.org/api/Bigarray.Array1.html#VALunsafe_get)\n - [https://v2.ocaml.org/api/Bytes.html#VALunsafe_to_string](https://v2.ocaml.org/api/Bytes.html#VALunsafe_to_string)\n",
"text": "Unsafe functions do not perform boundary checks or have other side effects, use with care.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ocaml.lang.security.unsafe.ocamllint-unsafe",
"id": "ocaml.lang.security.unsafe.ocamllint-unsafe",
"name": "ocaml.lang.security.unsafe.ocamllint-unsafe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-242: Use of Inherently Dangerous Function (4.12)",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ocaml.lang.security.unsafe.ocamllint-unsafe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a Doctrine DBAL query method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead."
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a Doctrine DBAL query method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query)\n - [https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/security.html](https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/security.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n",
"text": "Detected string concatenation with a non-literal variable in a Doctrine DBAL query method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query",
"id": "php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query",
"name": "php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead."
},
"help": {
"markdown": "`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query)\n - [https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/query-builder.html#security-safely-preventing-sql-injection](https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/query-builder.html#security-safely-preventing-sql-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n",
"text": "`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query",
"id": "php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query",
"name": "php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Calling assert with user input is equivalent to eval\u0027ing."
},
"help": {
"markdown": "Calling assert with user input is equivalent to eval\u0027ing.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.assert-use.assert-use)\n - [https://www.php.net/manual/en/function.assert](https://www.php.net/manual/en/function.assert)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/AssertsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/AssertsSniff.php)\n",
"text": "Calling assert with user input is equivalent to eval\u0027ing.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.assert-use.assert-use",
"id": "php.lang.security.assert-use.assert-use",
"name": "php.lang.security.assert-use.assert-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.assert-use.assert-use"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`."
},
"help": {
"markdown": "The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate)\n - [https://www.php.net/manual/en/function.openssl-decrypt.php](https://www.php.net/manual/en/function.openssl-decrypt.php)\n",
"text": "The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate",
"id": "php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate",
"name": "php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate",
"properties": {
"precision": "very-high",
"tags": [
"CWE-252: Unchecked Return Value",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security."
},
"help": {
"markdown": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.audit.sha224-hash.sha224-hash)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\n",
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.audit.sha224-hash.sha224-hash",
"id": "php.lang.security.audit.sha224-hash.sha224-hash",
"name": "php.lang.security.audit.sha224-hash.sha224-hash",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.audit.sha224-hash.sha224-hash"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Backticks use may lead to command injection vulnerabilities."
},
"help": {
"markdown": "Backticks use may lead to command injection vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.backticks-use.backticks-use)\n - [https://www.php.net/manual/en/language.operators.execution.php](https://www.php.net/manual/en/language.operators.execution.php)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/BackticksSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/BackticksSniff.php)\n",
"text": "Backticks use may lead to command injection vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.backticks-use.backticks-use",
"id": "php.lang.security.backticks-use.backticks-use",
"name": "php.lang.security.backticks-use.backticks-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.backticks-use.backticks-use"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens."
},
"help": {
"markdown": "The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.base-convert-loses-precision.base-convert-loses-precision)\n - [https://www.php.net/base_convert](https://www.php.net/base_convert)\n - [https://www.sjoerdlangkemper.nl/2017/03/15/dont-use-base-convert-on-random-tokens/](https://www.sjoerdlangkemper.nl/2017/03/15/dont-use-base-convert-on-random-tokens/)\n",
"text": "The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.base-convert-loses-precision.base-convert-loses-precision",
"id": "php.lang.security.base-convert-loses-precision.base-convert-loses-precision",
"name": "php.lang.security.base-convert-loses-precision.base-convert-loses-precision",
"properties": {
"precision": "very-high",
"tags": [
"CWE-190: Integer Overflow or Wraparound",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.base-convert-loses-precision.base-convert-loses-precision"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)"
},
"help": {
"markdown": "SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off)\n - [https://www.saotn.org/dont-turn-off-curlopt_ssl_verifypeer-fix-php-configuration/](https://www.saotn.org/dont-turn-off-curlopt_ssl_verifypeer-fix-php-configuration/)\n",
"text": "SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off",
"id": "php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off",
"name": "php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Do not call \u0027extract()\u0027 on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables."
},
"help": {
"markdown": "Do not call \u0027extract()\u0027 on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.deserialization.extract-user-data)\n - [https://www.php.net/manual/en/function.extract.php#refsect1-function.extract-notes](https://www.php.net/manual/en/function.extract.php#refsect1-function.extract-notes)\n",
"text": "Do not call \u0027extract()\u0027 on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.deserialization.extract-user-data",
"id": "php.lang.security.deserialization.extract-user-data",
"name": "php.lang.security.deserialization.extract-user-data",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.deserialization.extract-user-data"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Evaluating non-constant commands. This can lead to command injection."
},
"help": {
"markdown": "Evaluating non-constant commands. This can lead to command injection.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.eval-use.eval-use)\n - [https://www.php.net/manual/en/function.eval](https://www.php.net/manual/en/function.eval)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php)\n",
"text": "Evaluating non-constant commands. This can lead to command injection.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.eval-use.eval-use",
"id": "php.lang.security.eval-use.eval-use",
"name": "php.lang.security.eval-use.eval-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.eval-use.eval-use"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Executing non-constant commands. This can lead to command injection."
},
"help": {
"markdown": "Executing non-constant commands. This can lead to command injection.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.exec-use.exec-use)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/SystemExecFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/SystemExecFunctionsSniff.php)\n",
"text": "Executing non-constant commands. This can lead to command injection.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.exec-use.exec-use",
"id": "php.lang.security.exec-use.exec-use",
"name": "php.lang.security.exec-use.exec-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.exec-use.exec-use"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "FTP allows for unencrypted file transfers. Consider using an encrypted alternative."
},
"help": {
"markdown": "FTP allows for unencrypted file transfers. Consider using an encrypted alternative.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use)\n - [https://www.php.net/manual/en/intro.ftp.php](https://www.php.net/manual/en/intro.ftp.php)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php)\n",
"text": "FTP allows for unencrypted file transfers. Consider using an encrypted alternative.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use",
"id": "php.lang.security.ftp-use.ftp-use",
"name": "php.lang.security.ftp-use.ftp-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.ftp-use.ftp-use"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "`Printing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users."
},
"help": {
"markdown": "`Printing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.printed-request.printed-request)\n - [https://www.php.net/manual/en/function.htmlentities.php](https://www.php.net/manual/en/function.htmlentities.php)\n - [https://www.php.net/manual/en/reserved.variables.request.php](https://www.php.net/manual/en/reserved.variables.request.php)\n - [https://www.php.net/manual/en/reserved.variables.post.php](https://www.php.net/manual/en/reserved.variables.post.php)\n - [https://www.php.net/manual/en/reserved.variables.get.php](https://www.php.net/manual/en/reserved.variables.get.php)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n",
"text": "`Printing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.injection.printed-request.printed-request",
"id": "php.lang.security.injection.printed-request.printed-request",
"name": "php.lang.security.injection.printed-request.printed-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.injection.printed-request.printed-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Callable based on user input risks remote code execution."
},
"help": {
"markdown": "Callable based on user input risks remote code execution.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-callable.tainted-callable)\n - [https://www.php.net/manual/en/language.types.callable.php](https://www.php.net/manual/en/language.types.callable.php)\n",
"text": "Callable based on user input risks remote code execution.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-callable.tainted-callable",
"id": "php.lang.security.injection.tainted-callable.tainted-callable",
"name": "php.lang.security.injection.tainted-callable.tainted-callable",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.injection.tainted-callable.tainted-callable"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User input is passed to a function that executes a shell command. This can lead to remote code execution."
},
"help": {
"markdown": "User input is passed to a function that executes a shell command. This can lead to remote code execution.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-exec.tainted-exec)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "User input is passed to a function that executes a shell command. This can lead to remote code execution.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-exec.tainted-exec",
"id": "php.lang.security.injection.tainted-exec.tainted-exec",
"name": "php.lang.security.injection.tainted-exec.tainted-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.injection.tainted-exec.tainted-exec"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "File name based on user input risks server-side request forgery."
},
"help": {
"markdown": "File name based on user input risks server-side request forgery.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
"text": "File name based on user input risks server-side request forgery.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename",
"id": "php.lang.security.injection.tainted-filename.tainted-filename",
"name": "php.lang.security.injection.tainted-filename.tainted-filename",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.injection.tainted-filename.tainted-filename"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u003c- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application."
},
"help": {
"markdown": "\u003c- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "\u003c- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation",
"id": "php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation",
"name": "php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues."
},
"help": {
"markdown": "Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session)\n - [https://en.wikipedia.org/wiki/Session_poisoning](https://en.wikipedia.org/wiki/Session_poisoning)\n",
"text": "Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session",
"id": "php.lang.security.injection.tainted-session.tainted-session",
"name": "php.lang.security.injection.tainted-session.tainted-session",
"properties": {
"precision": "very-high",
"tags": [
"CWE-284: Improper Access Control",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.injection.tainted-session.tainted-session"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli-\u003eprepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library."
},
"help": {
"markdown": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli-\u003eprepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n",
"text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli-\u003eprepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string",
"id": "php.lang.security.injection.tainted-sql-string.tainted-sql-string",
"name": "php.lang.security.injection.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.injection.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."
},
"help": {
"markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host",
"id": "php.lang.security.injection.tainted-url-host.tainted-url-host",
"name": "php.lang.security.injection.tainted-url-host.tainted-url-host",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.injection.tainted-url-host.tainted-url-host"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP."
},
"help": {
"markdown": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.ldap-bind-without-password.ldap-bind-without-password)\n - [https://www.php.net/manual/en/function.ldap-bind.php](https://www.php.net/manual/en/function.ldap-bind.php)\n",
"text": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.ldap-bind-without-password.ldap-bind-without-password",
"id": "php.lang.security.ldap-bind-without-password.ldap-bind-without-password",
"name": "php.lang.security.ldap-bind-without-password.ldap-bind-without-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.ldap-bind-without-password.ldap-bind-without-password"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code."
},
"help": {
"markdown": "Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval)\n - [https://www.php.net/manual/en/function.mb-ereg-replace.php](https://www.php.net/manual/en/function.mb-ereg-replace.php)\n - [https://www.php.net/manual/en/function.mb-regex-set-options.php](https://www.php.net/manual/en/function.mb-regex-set-options.php)\n",
"text": "Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval",
"id": "php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval",
"name": "php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL."
},
"help": {
"markdown": "Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.mcrypt-use.mcrypt-use)\n - [https://www.php.net/manual/en/intro.mcrypt.php](https://www.php.net/manual/en/intro.mcrypt.php)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php)\n",
"text": "Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.mcrypt-use.mcrypt-use",
"id": "php.lang.security.mcrypt-use.mcrypt-use",
"name": "php.lang.security.mcrypt-use.mcrypt-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-676: Use of Potentially Dangerous Function",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.mcrypt-use.mcrypt-use"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues"
},
"help": {
"markdown": "Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality)\n - [https://www.php.net/manual/en/types.comparisons.php](https://www.php.net/manual/en/types.comparisons.php)\n - [https://web.archive.org/web/20210430183236/https://www.whitehatsec.com/blog/magic-hashes/](https://web.archive.org/web/20210430183236/https://www.whitehatsec.com/blog/magic-hashes/)\n",
"text": "Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality",
"id": "php.lang.security.md5-loose-equality.md5-loose-equality",
"name": "php.lang.security.md5-loose-equality.md5-loose-equality",
"properties": {
"precision": "very-high",
"tags": [
"CWE-697: Incorrect Comparison",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.md5-loose-equality.md5-loose-equality"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`."
},
"help": {
"markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://www.php.net/password_hash](https://www.php.net/password_hash)\n",
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.md5-used-as-password.md5-used-as-password",
"id": "php.lang.security.md5-used-as-password.md5-used-as-password",
"name": "php.lang.security.md5-used-as-password.md5-used-as-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.md5-used-as-password.md5-used-as-password"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data."
},
"help": {
"markdown": "Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv)\n - [https://csrc.nist.gov/publications/detail/sp/800-38a/final](https://csrc.nist.gov/publications/detail/sp/800-38a/final)\n",
"text": "Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv",
"id": "php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv",
"name": "php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv",
"properties": {
"precision": "very-high",
"tags": [
"CWE-329: Generation of Predictable IV with CBC Mode",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."
},
"help": {
"markdown": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors)\n - [https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin](https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)\n",
"text": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors",
"id": "php.lang.security.php-permissive-cors.php-permissive-cors",
"name": "php.lang.security.php-permissive-cors.php-permissive-cors",
"properties": {
"precision": "very-high",
"tags": [
"CWE-346: Origin Validation Error",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.php-permissive-cors.php-permissive-cors"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The \u0027phpinfo\u0027 function may reveal sensitive information about your environment."
},
"help": {
"markdown": "The \u0027phpinfo\u0027 function may reveal sensitive information about your environment.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.phpinfo-use.phpinfo-use)\n - [https://www.php.net/manual/en/function.phpinfo](https://www.php.net/manual/en/function.phpinfo)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/PhpinfosSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/PhpinfosSniff.php)\n",
"text": "The \u0027phpinfo\u0027 function may reveal sensitive information about your environment.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.phpinfo-use.phpinfo-use",
"id": "php.lang.security.phpinfo-use.phpinfo-use",
"name": "php.lang.security.phpinfo-use.phpinfo-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.phpinfo-use.phpinfo-use"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Executing non-constant commands. This can lead to command injection. You should use `escapeshellarg()` when using command."
},
"help": {
"markdown": "Executing non-constant commands. This can lead to command injection. You should use `escapeshellarg()` when using command.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.tainted-exec.tainted-exec)\n - [https://www.stackhawk.com/blog/php-command-injection/](https://www.stackhawk.com/blog/php-command-injection/)\n - [https://brightsec.com/blog/code-injection-php/](https://brightsec.com/blog/code-injection-php/)\n - [https://www.acunetix.com/websitesecurity/php-security-2/](https://www.acunetix.com/websitesecurity/php-security-2/)\n",
"text": "Executing non-constant commands. This can lead to command injection. You should use `escapeshellarg()` when using command.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.tainted-exec.tainted-exec",
"id": "php.lang.security.tainted-exec.tainted-exec",
"name": "php.lang.security.tainted-exec.tainted-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.tainted-exec.tainted-exec"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor could use this to modify or access files they have no right to."
},
"help": {
"markdown": "Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.unlink-use.unlink-use)\n - [https://www.php.net/manual/en/function.unlink](https://www.php.net/manual/en/function.unlink)\n - [https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html](https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html)\n",
"text": "Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.unlink-use.unlink-use",
"id": "php.lang.security.unlink-use.unlink-use",
"name": "php.lang.security.unlink-use.unlink-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.unlink-use.unlink-use"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Calling `unserialize()` with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers)."
},
"help": {
"markdown": "Calling `unserialize()` with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.unserialize-use.unserialize-use)\n - [https://www.php.net/manual/en/function.unserialize.php](https://www.php.net/manual/en/function.unserialize.php)\n - [https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization.html](https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization.html)\n",
"text": "Calling `unserialize()` with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.lang.security.unserialize-use.unserialize-use",
"id": "php.lang.security.unserialize-use.unserialize-use",
"name": "php.lang.security.unserialize-use.unserialize-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.lang.security.unserialize-use.unserialize-use"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "HTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation."
},
"help": {
"markdown": "HTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md)\n",
"text": "HTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection",
"id": "php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection",
"name": "php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements."
},
"help": {
"markdown": "Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection)\n - [https://laravel.com/docs/8.x/queries](https://laravel.com/docs/8.x/queries)\n",
"text": "Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection",
"id": "php.laravel.security.laravel-sql-injection.laravel-sql-injection",
"name": "php.laravel.security.laravel-sql-injection.laravel-sql-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.laravel.security.laravel-sql-injection.laravel-sql-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection."
},
"help": {
"markdown": "Found a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator)\n - [https://laravel.com/docs/9.x/validation#rule-unique](https://laravel.com/docs/9.x/validation#rule-unique)\n",
"text": "Found a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator",
"id": "php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator",
"name": "php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`."
},
"help": {
"markdown": "CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled)\n - [https://symfony.com/doc/current/security/csrf.html](https://symfony.com/doc/current/security/csrf.html)\n",
"text": "CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled",
"id": "php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled",
"name": "php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The `redirect()` method does not check its destination in any way. If you redirect to a URL provided by end-users, your application may be open to the unvalidated redirects security vulnerability. Consider using literal values or an allowlist to validate URLs."
},
"help": {
"markdown": "The `redirect()` method does not check its destination in any way. If you redirect to a URL provided by end-users, your application may be open to the unvalidated redirects security vulnerability. Consider using literal values or an allowlist to validate URLs.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect)\n - [https://symfony.com/doc/current/controller.html#redirecting](https://symfony.com/doc/current/controller.html#redirecting)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n",
"text": "The `redirect()` method does not check its destination in any way. If you redirect to a URL provided by end-users, your application may be open to the unvalidated redirects security vulnerability. Consider using literal values or an allowlist to validate URLs.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect",
"id": "php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect",
"name": "php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."
},
"help": {
"markdown": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors)\n - [https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin](https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)\n",
"text": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors",
"id": "php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors",
"name": "php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors",
"properties": {
"precision": "very-high",
"tags": [
"CWE-346: Origin Validation Error",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected usage of vulnerable functions with user input, which could lead to SSRF vulnerabilities."
},
"help": {
"markdown": "Detected usage of vulnerable functions with user input, which could lead to SSRF vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit)\n - [https://developer.wordpress.org/reference/functions/wp_safe_remote_get/](https://developer.wordpress.org/reference/functions/wp_safe_remote_get/)\n - [https://developer.wordpress.org/reference/functions/wp_remote_get/](https://developer.wordpress.org/reference/functions/wp_remote_get/)\n - [https://patchstack.com/articles/exploring-the-unpatched-wordpress-ssrf/](https://patchstack.com/articles/exploring-the-unpatched-wordpress-ssrf/)\n",
"text": "Detected usage of vulnerable functions with user input, which could lead to SSRF vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit",
"id": "php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit",
"name": "php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for disabling of TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks."
},
"help": {
"markdown": "Checks for disabling of TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification)\n - [https://stackoverflow.com/questions/12122159/how-to-do-a-https-request-with-bad-certificate](https://stackoverflow.com/questions/12122159/how-to-do-a-https-request-with-bad-certificate)\n",
"text": "Checks for disabling of TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification",
"id": "problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification",
"name": "problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detects creations of tls configuration objects with an insecure MinVersion of TLS. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities."
},
"help": {
"markdown": "Detects creations of tls configuration objects with an insecure MinVersion of TLS. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions)\n - [https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle](https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle)\n",
"text": "Detects creations of tls configuration objects with an insecure MinVersion of TLS. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions",
"id": "problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions",
"name": "problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"HIGH CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for outgoing connections to ftp servers with the ftp package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol."
},
"help": {
"markdown": "Checks for outgoing connections to ftp servers with the ftp package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request)\n - [https://godoc.org/github.com/jlaffaye/ftp#Dial](https://godoc.org/github.com/jlaffaye/ftp#Dial)\n - [https://github.com/jlaffaye/ftp](https://github.com/jlaffaye/ftp)\n",
"text": "Checks for outgoing connections to ftp servers with the ftp package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request",
"id": "problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request",
"name": "problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."
},
"help": {
"markdown": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request)\n - [https://github.com/parnurzeal/gorequest](https://github.com/parnurzeal/gorequest)\n",
"text": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request",
"id": "problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request",
"name": "problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."
},
"help": {
"markdown": "Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request)\n - [https://godoc.org/github.com/levigross/grequests#DoRegularRequest](https://godoc.org/github.com/levigross/grequests#DoRegularRequest)\n - [https://github.com/levigross/grequests](https://github.com/levigross/grequests)\n",
"text": "Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request",
"id": "problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request",
"name": "problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests sent via http.NewRequest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."
},
"help": {
"markdown": "Checks for requests sent via http.NewRequest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-customized-request.http-customized-request)\n - [https://golang.org/pkg/net/http/#NewRequest](https://golang.org/pkg/net/http/#NewRequest)\n",
"text": "Checks for requests sent via http.NewRequest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-customized-request.http-customized-request",
"id": "problem-based-packs.insecure-transport.go-stdlib.http-customized-request.http-customized-request",
"name": "problem-based-packs.insecure-transport.go-stdlib.http-customized-request.http-customized-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.http-customized-request.http-customized-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."
},
"help": {
"markdown": "Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request)\n - [https://golang.org/pkg/net/http/#Get](https://golang.org/pkg/net/http/#Get)\n",
"text": "Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request",
"id": "problem-based-packs.insecure-transport.go-stdlib.http-request.http-request",
"name": "problem-based-packs.insecure-transport.go-stdlib.http-request.http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.http-request.http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."
},
"help": {
"markdown": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request)\n - [https://godoc.org/github.com/dghubble/sling#Sling.Add](https://godoc.org/github.com/dghubble/sling#Sling.Add)\n - [https://github.com/dghubble/sling](https://github.com/dghubble/sling)\n",
"text": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request",
"id": "problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request",
"name": "problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for attempts to connect to an insecure telnet server using the package telnet. This is bad because it can lead to man in the middle attacks."
},
"help": {
"markdown": "Checks for attempts to connect to an insecure telnet server using the package telnet. This is bad because it can lead to man in the middle attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request)\n - [https://godoc.org/github.com/reiver/go-telnet](https://godoc.org/github.com/reiver/go-telnet)\n",
"text": "Checks for attempts to connect to an insecure telnet server using the package telnet. This is bad because it can lead to man in the middle attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request",
"id": "problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request",
"name": "problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks."
},
"help": {
"markdown": "Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification)\n - [https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate](https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate)\n - [https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1](https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1)\n",
"text": "Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification",
"id": "problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification",
"name": "problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for outgoing connections to ftp servers via Spring plugin ftpSessionFactory. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network."
},
"help": {
"markdown": "Checks for outgoing connections to ftp servers via Spring plugin ftpSessionFactory. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-ftp-request.spring-ftp-request)\n - [https://docs.spring.io/spring-integration/api/org/springframework/integration/ftp/session/AbstractFtpSessionFactory.html#setClientMode-int-](https://docs.spring.io/spring-integration/api/org/springframework/integration/ftp/session/AbstractFtpSessionFactory.html#setClientMode-int-)\n",
"text": "Checks for outgoing connections to ftp servers via Spring plugin ftpSessionFactory. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-ftp-request.spring-ftp-request",
"id": "problem-based-packs.insecure-transport.java-spring.spring-ftp-request.spring-ftp-request",
"name": "problem-based-packs.insecure-transport.java-spring.spring-ftp-request.spring-ftp-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-spring.spring-ftp-request.spring-ftp-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."
},
"help": {
"markdown": "Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request)\n - [https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-](https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-)\n - [https://www.baeldung.com/rest-template](https://www.baeldung.com/rest-template)\n",
"text": "Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request",
"id": "problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request",
"name": "problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for redefinitions of the checkServerTrusted function in the X509TrustManager class that disables TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks."
},
"help": {
"markdown": "Checks for redefinitions of the checkServerTrusted function in the X509TrustManager class that disables TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification)\n - [https://riptutorial.com/java/example/16517/temporarily-disable-ssl-verification--for-testing-purposes-](https://riptutorial.com/java/example/16517/temporarily-disable-ssl-verification--for-testing-purposes-)\n - [https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1](https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1)\n",
"text": "Checks for redefinitions of the checkServerTrusted function in the X509TrustManager class that disables TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification",
"id": "problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification",
"name": "problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detects direct creations of SSLConnectionSocketFactories that don\u0027t disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities."
},
"help": {
"markdown": "Detects direct creations of SSLConnectionSocketFactories that don\u0027t disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1)\n - [https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle](https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle)\n",
"text": "Detects direct creations of SSLConnectionSocketFactories that don\u0027t disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1",
"id": "problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1",
"name": "problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detects setting client protocols to insecure versions of TLS and SSL. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities."
},
"help": {
"markdown": "Detects setting client protocols to insecure versions of TLS and SSL. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2)\n - [https://stackoverflow.com/questions/26504653/is-it-possible-to-disable-sslv3-for-all-java-applications](https://stackoverflow.com/questions/26504653/is-it-possible-to-disable-sslv3-for-all-java-applications)\n",
"text": "Detects setting client protocols to insecure versions of TLS and SSL. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2",
"id": "problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2",
"name": "problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network."
},
"help": {
"markdown": "Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request)\n - [https://www.codejava.net/java-se/ftp/connect-and-login-to-a-ftp-server](https://www.codejava.net/java-se/ftp/connect-and-login-to-a-ftp-server)\n - [https://commons.apache.org/proper/commons-net/apidocs/org/apache/commons/net/ftp/FTPClient.html](https://commons.apache.org/proper/commons-net/apidocs/org/apache/commons/net/ftp/FTPClient.html)\n",
"text": "Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request",
"id": "problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request",
"name": "problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests sent via Apache HTTP Components to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."
},
"help": {
"markdown": "Checks for requests sent via Apache HTTP Components to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request)\n - [https://hc.apache.org/httpcomponents-client-ga/quickstart.html](https://hc.apache.org/httpcomponents-client-ga/quickstart.html)\n",
"text": "Checks for requests sent via Apache HTTP Components to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request",
"id": "problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request",
"name": "problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."
},
"help": {
"markdown": "Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request)\n - [https://openjdk.java.net/groups/net/httpclient/intro.html](https://openjdk.java.net/groups/net/httpclient/intro.html)\n",
"text": "Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request",
"id": "problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request",
"name": "problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS."
},
"help": {
"markdown": "Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request)\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html)\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection()](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection())\n",
"text": "Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request",
"id": "problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request",
"name": "problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an HTTP request sent via HttpURLConnection. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS."
},
"help": {
"markdown": "Detected an HTTP request sent via HttpURLConnection. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request)\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html)\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection()](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection())\n",
"text": "Detected an HTTP request sent via HttpURLConnection. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request",
"id": "problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request",
"name": "problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Insecure transport rules to catch socket connections to http, telnet, and ftp servers. This is dangerous because these are protocols that do not encrypt traffic."
},
"help": {
"markdown": "Insecure transport rules to catch socket connections to http, telnet, and ftp servers. This is dangerous because these are protocols that do not encrypt traffic.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request)\n - [https://docs.oracle.com/javase/8/docs/api/java/net/Socket.html](https://docs.oracle.com/javase/8/docs/api/java/net/Socket.html)\n",
"text": "Insecure transport rules to catch socket connections to http, telnet, and ftp servers. This is dangerous because these are protocols that do not encrypt traffic.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request",
"id": "problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request",
"name": "problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."
},
"help": {
"markdown": "Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request)\n - [https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html](https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html)\n",
"text": "Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request",
"id": "problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request",
"name": "problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection."
},
"help": {
"markdown": "Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation)\n - [https://www.oracle.com/java/technologies/javase/tlsreadme.html](https://www.oracle.com/java/technologies/javase/tlsreadme.html)\n",
"text": "Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation",
"id": "problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation",
"name": "problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests sent via Unirest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."
},
"help": {
"markdown": "Checks for requests sent via Unirest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.unirest-http-request.unirest-http-request)\n - [https://kong.github.io/unirest-java/#requests](https://kong.github.io/unirest-java/#requests)\n",
"text": "Checks for requests sent via Unirest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.unirest-http-request.unirest-http-request",
"id": "problem-based-packs.insecure-transport.java-stdlib.unirest-http-request.unirest-http-request",
"name": "problem-based-packs.insecure-transport.java-stdlib.unirest-http-request.unirest-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.unirest-http-request.unirest-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used."
},
"help": {
"markdown": "Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification)\n - [https://nodejs.org/api/https.html#https_https_request_options_callback](https://nodejs.org/api/https.html#https_https_request_options_callback)\n - [https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100](https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100)\n",
"text": "Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification",
"id": "problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification",
"name": "problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detects direct creations of $HTTPS servers that don\u0027t disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities."
},
"help": {
"markdown": "Detects direct creations of $HTTPS servers that don\u0027t disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1)\n - [https://us-cert.cisa.gov/ncas/alerts/TA14-290A](https://us-cert.cisa.gov/ncas/alerts/TA14-290A)\n - [https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs](https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs)\n - [https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener](https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener)\n",
"text": "Detects direct creations of $HTTPS servers that don\u0027t disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1",
"id": "problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1",
"name": "problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detects creations of $HTTPS servers from option objects that don\u0027t disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities."
},
"help": {
"markdown": "Detects creations of $HTTPS servers from option objects that don\u0027t disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2)\n - [https://us-cert.cisa.gov/ncas/alerts/TA14-290A](https://us-cert.cisa.gov/ncas/alerts/TA14-290A)\n - [https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs](https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs)\n - [https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener](https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener)\n",
"text": "Detects creations of $HTTPS servers from option objects that don\u0027t disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2",
"id": "problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2",
"name": "problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for lack of usage of the \"secure: true\" option when sending ftp requests through the nodejs ftp module. This leads to unencrypted traffic being sent to the ftp server. There are other options such as \"implicit\" that still does not encrypt all traffic. ftp is the most utilized npm ftp module."
},
"help": {
"markdown": "Checks for lack of usage of the \"secure: true\" option when sending ftp requests through the nodejs ftp module. This leads to unencrypted traffic being sent to the ftp server. There are other options such as \"implicit\" that still does not encrypt all traffic. ftp is the most utilized npm ftp module.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request)\n - [https://www.npmjs.com/package/ftp](https://www.npmjs.com/package/ftp)\n - [https://openbase.io/js/ftp](https://openbase.io/js/ftp)\n",
"text": "Checks for lack of usage of the \"secure: true\" option when sending ftp requests through the nodejs ftp module. This leads to unencrypted traffic being sent to the ftp server. There are other options such as \"implicit\" that still does not encrypt all traffic. ftp is the most utilized npm ftp module.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request",
"id": "problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request",
"name": "problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs."
},
"help": {
"markdown": "Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.http-request.http-request)\n - [https://nodejs.org/api/http.html#http_http_request_options_callback](https://nodejs.org/api/http.html#http_http_request_options_callback)\n",
"text": "Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.http-request.http-request",
"id": "problem-based-packs.insecure-transport.js-node.http-request.http-request",
"name": "problem-based-packs.insecure-transport.js-node.http-request.http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.http-request.http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests to http (unencrypted) sites using some of node js\u0027s most popular REST/HTTP libraries, including node-rest-client, axios, and got."
},
"help": {
"markdown": "Checks for requests to http (unencrypted) sites using some of node js\u0027s most popular REST/HTTP libraries, including node-rest-client, axios, and got.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support)\n - [https://www.npmjs.com/package/axios](https://www.npmjs.com/package/axios)\n - [https://www.npmjs.com/package/got](https://www.npmjs.com/package/got)\n - [https://www.npmjs.com/package/node-rest-client](https://www.npmjs.com/package/node-rest-client)\n",
"text": "Checks for requests to http (unencrypted) sites using some of node js\u0027s most popular REST/HTTP libraries, including node-rest-client, axios, and got.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support",
"id": "problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support",
"name": "problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."
},
"help": {
"markdown": "Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request)\n - [https://www.npmjs.com/package/telnet](https://www.npmjs.com/package/telnet)\n - [https://www.npmjs.com/package/telnet-client](https://www.npmjs.com/package/telnet-client)\n",
"text": "Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request",
"id": "problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request",
"name": "problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information."
},
"help": {
"markdown": "Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server)\n - [https://nodejs.org/api/http.html#http_class_http_agent](https://nodejs.org/api/http.html#http_class_http_agent)\n - [https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY](https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY)\n",
"text": "Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server",
"id": "problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server",
"name": "problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests to http (unencrypted) sites using some of ruby\u0027s most popular REST/HTTP libraries, including httparty and restclient."
},
"help": {
"markdown": "Checks for requests to http (unencrypted) sites using some of ruby\u0027s most popular REST/HTTP libraries, including httparty and restclient.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests)\n - [https://github.com/rest-client/rest-client](https://github.com/rest-client/rest-client)\n - [https://github.com/jnunemaker/httparty/tree/master/docs](https://github.com/jnunemaker/httparty/tree/master/docs)\n",
"text": "Checks for requests to http (unencrypted) sites using some of ruby\u0027s most popular REST/HTTP libraries, including httparty and restclient.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests",
"id": "problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests",
"name": "problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for outgoing connections to ftp servers with the \u0027net/ftp\u0027 package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol."
},
"help": {
"markdown": "Checks for outgoing connections to ftp servers with the \u0027net/ftp\u0027 package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request)\n - [https://docs.ruby-lang.org/en/2.0.0/Net/FTP.html](https://docs.ruby-lang.org/en/2.0.0/Net/FTP.html)\n",
"text": "Checks for outgoing connections to ftp servers with the \u0027net/ftp\u0027 package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request",
"id": "problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request",
"name": "problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs."
},
"help": {
"markdown": "Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request)\n - [https://ruby-doc.org/stdlib-2.6.5/libdoc/net/http/rdoc/Net/](https://ruby-doc.org/stdlib-2.6.5/libdoc/net/http/rdoc/Net/)\n",
"text": "Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request",
"id": "problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request",
"name": "problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."
},
"help": {
"markdown": "Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request)\n - [https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html](https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html)\n - [https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet](https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet)\n",
"text": "Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request",
"id": "problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request",
"name": "problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for requests to http and ftp (unencrypted) sites using OpenURI."
},
"help": {
"markdown": "Checks for requests to http and ftp (unencrypted) sites using OpenURI.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request)\n - [https://ruby-doc.org/stdlib-2.6.3/libdoc/open-uri/rdoc/OpenURI.html](https://ruby-doc.org/stdlib-2.6.3/libdoc/open-uri/rdoc/OpenURI.html)\n",
"text": "Checks for requests to http and ftp (unencrypted) sites using OpenURI.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request",
"id": "problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request",
"name": "problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found a formatted string in BashOperator: $CMD. This could be vulnerable to injection. Be extra sure your variables are not controllable by external sources."
},
"help": {
"markdown": "Found a formatted string in BashOperator: $CMD. This could be vulnerable to injection. Be extra sure your variables are not controllable by external sources.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Found a formatted string in BashOperator: $CMD. This could be vulnerable to injection. Be extra sure your variables are not controllable by external sources.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator",
"id": "python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator",
"name": "python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected \u0027create_subprocess_exec\u0027 function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027."
},
"help": {
"markdown": "Detected \u0027create_subprocess_exec\u0027 function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec)\n - [https://docs.python.org/3/library/asyncio-subprocess.html#asyncio.create_subprocess_exec](https://docs.python.org/3/library/asyncio-subprocess.html#asyncio.create_subprocess_exec)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n",
"text": "Detected \u0027create_subprocess_exec\u0027 function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec",
"id": "python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec",
"name": "python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected subprocess function \u0027$LOOP.subprocess_exec\u0027 with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027."
},
"help": {
"markdown": "Detected subprocess function \u0027$LOOP.subprocess_exec\u0027 with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec)\n - [https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec](https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n",
"text": "Detected subprocess function \u0027$LOOP.subprocess_exec\u0027 with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec",
"id": "python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec",
"name": "python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected asyncio subprocess function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027."
},
"help": {
"markdown": "Detected asyncio subprocess function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell)\n - [https://docs.python.org/3/library/asyncio-subprocess.html](https://docs.python.org/3/library/asyncio-subprocess.html)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n",
"text": "Detected asyncio subprocess function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using \u0027shlex.escape()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell",
"id": "python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell",
"name": "python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here."
},
"help": {
"markdown": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process",
"id": "python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process",
"name": "python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected subprocess function with argument tainted by an `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. The default option for `shell` is False, and this is secure by default. Consider removing the `shell=True` or setting it to False explicitely. Using `shell=False` means you have to split the command string into an array of strings for the command and its arguments. You may consider using \u0027shlex.split()\u0027 for this purpose."
},
"help": {
"markdown": "Detected subprocess function with argument tainted by an `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. The default option for `shell` is False, and this is secure by default. Consider removing the `shell=True` or setting it to False explicitely. Using `shell=False` means you have to split the command string into an array of strings for the command and its arguments. You may consider using \u0027shlex.split()\u0027 for this purpose.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use)\n - [https://docs.python.org/3/library/subprocess.html](https://docs.python.org/3/library/subprocess.html)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n",
"text": "Detected subprocess function with argument tainted by an `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. The default option for `shell` is False, and this is secure by default. Consider removing the `shell=True` or setting it to False explicitely. Using `shell=False` means you have to split the command string into an array of strings for the command and its arguments. You may consider using \u0027shlex.split()\u0027 for this purpose.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use",
"id": "python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use",
"name": "python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the \u0027subprocess\u0027 module instead, which is easier to use without accidentally exposing a command injection vulnerability."
},
"help": {
"markdown": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the \u0027subprocess\u0027 module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-system-call.dangerous-system-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the \u0027subprocess\u0027 module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-system-call.dangerous-system-call",
"id": "python.aws-lambda.security.dangerous-system-call.dangerous-system-call",
"name": "python.aws-lambda.security.dangerous-system-call.dangerous-system-call",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.dangerous-system-call.dangerous-system-call"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected DynamoDB query filter that is tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client."
},
"help": {
"markdown": "Detected DynamoDB query filter that is tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection)\n - [https://medium.com/appsecengineer/dynamodb-injection-1db99c2454ac](https://medium.com/appsecengineer/dynamodb-injection-1db99c2454ac)\n",
"text": "Detected DynamoDB query filter that is tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection",
"id": "python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection",
"name": "python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, (\u0027active\u0027))`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, (\u0027active\u0027))`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.mysql-sqli.mysql-sqli)\n - [https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-execute.html](https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-execute.html)\n - [https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-executemany.html](https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-executemany.html)\n",
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, (\u0027active\u0027))`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.mysql-sqli.mysql-sqli",
"id": "python.aws-lambda.security.mysql-sqli.mysql-sqli",
"name": "python.aws-lambda.security.mysql-sqli.mysql-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.mysql-sqli.mysql-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, \u0027active\u0027)`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, \u0027active\u0027)`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.psycopg-sqli.psycopg-sqli)\n - [https://www.psycopg.org/docs/cursor.html#cursor.execute](https://www.psycopg.org/docs/cursor.html#cursor.execute)\n - [https://www.psycopg.org/docs/cursor.html#cursor.executemany](https://www.psycopg.org/docs/cursor.html#cursor.executemany)\n - [https://www.psycopg.org/docs/cursor.html#cursor.mogrify](https://www.psycopg.org/docs/cursor.html#cursor.mogrify)\n",
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, \u0027active\u0027)`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.psycopg-sqli.psycopg-sqli",
"id": "python.aws-lambda.security.psycopg-sqli.psycopg-sqli",
"name": "python.aws-lambda.security.psycopg-sqli.psycopg-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.psycopg-sqli.psycopg-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, \u0027active\u0027)`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, \u0027active\u0027)`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli)\n - [https://pypi.org/project/pymssql/](https://pypi.org/project/pymssql/)\n",
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, \u0027active\u0027)`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli",
"id": "python.aws-lambda.security.pymssql-sqli.pymssql-sqli",
"name": "python.aws-lambda.security.pymssql-sqli.pymssql-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.pymssql-sqli.pymssql-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, (\u0027active\u0027))`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, (\u0027active\u0027))`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.pymysql-sqli.pymysql-sqli)\n - [https://pypi.org/project/PyMySQL/#id4](https://pypi.org/project/PyMySQL/#id4)\n",
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = %s\u0027, (\u0027active\u0027))`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.pymysql-sqli.pymysql-sqli",
"id": "python.aws-lambda.security.pymysql-sqli.pymysql-sqli",
"name": "python.aws-lambda.security.pymysql-sqli.pymysql-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.pymysql-sqli.pymysql-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = ?\u0027, \u0027active\u0027)`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = ?\u0027, \u0027active\u0027)`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli)\n - [https://docs.sqlalchemy.org/en/14/core/connections.html#sqlalchemy.engine.Connection.execute](https://docs.sqlalchemy.org/en/14/core/connections.html#sqlalchemy.engine.Connection.execute)\n",
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(\u0027SELECT * FROM projects WHERE status = ?\u0027, \u0027active\u0027)`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli",
"id": "python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli",
"name": "python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the use of `exec/eval`.This can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."
},
"help": {
"markdown": "Detected the use of `exec/eval`.This can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-code-exec.tainted-code-exec)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected the use of `exec/eval`.This can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.tainted-code-exec.tainted-code-exec",
"id": "python.aws-lambda.security.tainted-code-exec.tainted-code-exec",
"name": "python.aws-lambda.security.tainted-code-exec.tainted-code-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.tainted-code-exec.tainted-code-exec"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data."
},
"help": {
"markdown": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response",
"id": "python.aws-lambda.security.tainted-html-response.tainted-html-response",
"name": "python.aws-lambda.security.tainted-html-response.tainted-html-response",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.tainted-html-response.tainted-html-response"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead."
},
"help": {
"markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-html-string.tainted-html-string)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.tainted-html-string.tainted-html-string",
"id": "python.aws-lambda.security.tainted-html-string.tainted-html-string",
"name": "python.aws-lambda.security.tainted-html-string.tainted-html-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.tainted-html-string.tainted-html-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."
},
"help": {
"markdown": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n",
"text": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization",
"id": "python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization",
"name": "python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."
},
"help": {
"markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n",
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"id": "python.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"name": "python.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.aws-lambda.security.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.boto3.security.hardcoded-token.hardcoded-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n - [https://bento.dev/checks/boto3/hardcoded-access-token/](https://bento.dev/checks/boto3/hardcoded-access-token/)\n - [https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/](https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.boto3.security.hardcoded-token.hardcoded-token",
"id": "python.boto3.security.hardcoded-token.hardcoded-token",
"name": "python.boto3.security.hardcoded-token.hardcoded-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.boto3.security.hardcoded-token.hardcoded-token"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Potential empty AES encryption key. Using an empty key in AES encryption can result in weak encryption and may allow attackers to easily decrypt sensitive data. Ensure that a strong, non-empty key is used for AES encryption."
},
"help": {
"markdown": "Potential empty AES encryption key. Using an empty key in AES encryption can result in weak encryption and may allow attackers to easily decrypt sensitive data. Ensure that a strong, non-empty key is used for AES encryption.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.empty-aes-key.empty-aes-key)\n - [https://cwe.mitre.org/data/definitions/327.html](https://cwe.mitre.org/data/definitions/327.html)\n - [https://cwe.mitre.org/data/definitions/310.html](https://cwe.mitre.org/data/definitions/310.html)\n",
"text": "Potential empty AES encryption key. Using an empty key in AES encryption can result in weak encryption and may allow attackers to easily decrypt sensitive data. Ensure that a strong, non-empty key is used for AES encryption.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.empty-aes-key.empty-aes-key",
"id": "python.cryptography.security.empty-aes-key.empty-aes-key",
"name": "python.cryptography.security.empty-aes-key.empty-aes-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-310: Cryptographic Issues",
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A6:2017 misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.empty-aes-key.empty-aes-key"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. Its use is strongly discouraged. ARC4 does not use mode constructions. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use the `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."
},
"help": {
"markdown": "ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. Its use is strongly discouraged. ARC4 does not use mode constructions. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use the `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers)\n",
"text": "ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. Its use is strongly discouraged. ARC4 does not use mode constructions. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use the `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4",
"id": "python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4",
"name": "python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as AES. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."
},
"help": {
"markdown": "Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as AES. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers)\n - [https://tools.ietf.org/html/rfc5469](https://tools.ietf.org/html/rfc5469)\n",
"text": "Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as AES. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish",
"id": "python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish",
"name": "python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."
},
"help": {
"markdown": "IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea)\n - [https://tools.ietf.org/html/rfc5469](https://tools.ietf.org/html/rfc5469)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA)\n",
"text": "IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea",
"id": "python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea",
"name": "python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "ECB (Electronic Code Book) is the simplest mode of operation for block ciphers. Each block of data is encrypted in the same way. This means identical plaintext blocks will always result in identical ciphertext blocks, which can leave significant patterns in the output. Use a different, cryptographically strong mode instead, such as GCM."
},
"help": {
"markdown": "ECB (Electronic Code Book) is the simplest mode of operation for block ciphers. Each block of data is encrypted in the same way. This means identical plaintext blocks will always result in identical ciphertext blocks, which can leave significant patterns in the output. Use a different, cryptographically strong mode instead, such as GCM.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#insecure-modes](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#insecure-modes)\n - [https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption](https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption)\n",
"text": "ECB (Electronic Code Book) is the simplest mode of operation for block ciphers. Each block of data is encrypted in the same way. This means identical plaintext blocks will always result in identical ciphertext blocks, which can leave significant patterns in the output. Use a different, cryptographically strong mode instead, such as GCM.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb",
"id": "python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb",
"name": "python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
},
"help": {
"markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5)\n - [https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#md5](https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#md5)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5",
"id": "python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5",
"name": "python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
},
"help": {
"markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1)\n - [https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sha-1](https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sha-1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1",
"id": "python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1",
"name": "python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher."
},
"help": {
"markdown": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size)\n - [https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf](https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n",
"text": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size",
"id": "python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size",
"name": "python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an insufficient curve size for EC. NIST recommends a key size of 224 or higher. For example, use \u0027ec.SECP256R1\u0027."
},
"help": {
"markdown": "Detected an insufficient curve size for EC. NIST recommends a key size of 224 or higher. For example, use \u0027ec.SECP256R1\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#elliptic-curves](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#elliptic-curves)\n",
"text": "Detected an insufficient curve size for EC. NIST recommends a key size of 224 or higher. For example, use \u0027ec.SECP256R1\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size",
"id": "python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size",
"name": "python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher."
},
"help": {
"markdown": "Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n",
"text": "Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
"id": "python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
"name": "python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security."
},
"help": {
"markdown": "Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.distributed.security.require-encryption)\n - [https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters](https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters)\n",
"text": "Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.distributed.security.require-encryption",
"id": "python.distributed.security.require-encryption",
"name": "python.distributed.security.require-encryption",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.distributed.security.require-encryption"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities."
},
"help": {
"markdown": "Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n",
"text": "Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization",
"id": "python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization",
"name": "python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027mark_safe()\u0027 is used to mark a string as \"safe\" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use \u0027django.utils.html.format_html()\u0027 to build HTML for rendering instead."
},
"help": {
"markdown": "\u0027mark_safe()\u0027 is used to mark a string as \"safe\" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use \u0027django.utils.html.format_html()\u0027 to build HTML for rendering instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.avoid-mark-safe.avoid-mark-safe)\n - [https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.safestring.mark_safe](https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.safestring.mark_safe)\n - [https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.html.format_html](https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.html.format_html)\n",
"text": "\u0027mark_safe()\u0027 is used to mark a string as \"safe\" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use \u0027django.utils.html.format_html()\u0027 to build HTML for rendering instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.avoid-mark-safe.avoid-mark-safe",
"id": "python.django.security.audit.avoid-mark-safe.avoid-mark-safe",
"name": "python.django.security.audit.avoid-mark-safe.avoid-mark-safe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.avoid-mark-safe.avoid-mark-safe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected usage of @csrf_exempt, which indicates that there is no CSRF token set for this route. This could lead to an attacker manipulating the user\u0027s account and exfiltration of private data. Instead, create a function without this decorator."
},
"help": {
"markdown": "Detected usage of @csrf_exempt, which indicates that there is no CSRF token set for this route. This could lead to an attacker manipulating the user\u0027s account and exfiltration of private data. Instead, create a function without this decorator.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.csrf-exempt.no-csrf-exempt)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Detected usage of @csrf_exempt, which indicates that there is no CSRF token set for this route. This could lead to an attacker manipulating the user\u0027s account and exfiltration of private data. Instead, create a function without this decorator.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.csrf-exempt.no-csrf-exempt",
"id": "python.django.security.audit.csrf-exempt.no-csrf-exempt",
"name": "python.django.security.audit.csrf-exempt.no-csrf-exempt",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.csrf-exempt.no-csrf-exempt"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a Custom Expression \u0027\u0027$EXPRESSION\u0027\u0027 calling \u0027\u0027as_sql(...).\u0027\u0027 This could lead to SQL injection, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized."
},
"help": {
"markdown": "Detected a Custom Expression \u0027\u0027$EXPRESSION\u0027\u0027 calling \u0027\u0027as_sql(...).\u0027\u0027 This could lead to SQL injection, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.Func.as_sql](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.Func.as_sql)\n - [https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/](https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/)\n",
"text": "Detected a Custom Expression \u0027\u0027$EXPRESSION\u0027\u0027 calling \u0027\u0027as_sql(...).\u0027\u0027 This could lead to SQL injection, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql",
"id": "python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql",
"name": "python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Django REST framework configuration is missing default rate- limiting options. This could inadvertently allow resource starvation or Denial of Service (DoS) attacks. Add \u0027DEFAULT_THROTTLE_CLASSES\u0027 and \u0027DEFAULT_THROTTLE_RATES\u0027 to add rate-limiting to your application."
},
"help": {
"markdown": "Django REST framework configuration is missing default rate- limiting options. This could inadvertently allow resource starvation or Denial of Service (DoS) attacks. Add \u0027DEFAULT_THROTTLE_CLASSES\u0027 and \u0027DEFAULT_THROTTLE_RATES\u0027 to add rate-limiting to your application.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config)\n - [https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy](https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy)\n",
"text": "Django REST framework configuration is missing default rate- limiting options. This could inadvertently allow resource starvation or Denial of Service (DoS) attacks. Add \u0027DEFAULT_THROTTLE_CLASSES\u0027 and \u0027DEFAULT_THROTTLE_RATES\u0027 to add rate-limiting to your application.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config",
"id": "python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config",
"name": "python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config",
"properties": {
"precision": "very-high",
"tags": [
"CWE-770: Allocation of Resources Without Limits or Throttling",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found extension of custom expression: $CLASS. Extending expressions in this way could inadvertently lead to a SQL injection vulnerability, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized."
},
"help": {
"markdown": "Found extension of custom expression: $CLASS. Extending expressions in this way could inadvertently lead to a SQL injection vulnerability, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.extends-custom-expression.extends-custom-expression)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#avoiding-sql-injection](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#avoiding-sql-injection)\n - [https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/](https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/)\n",
"text": "Found extension of custom expression: $CLASS. Extending expressions in this way could inadvertently lead to a SQL injection vulnerability, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.extends-custom-expression.extends-custom-expression",
"id": "python.django.security.audit.extends-custom-expression.extends-custom-expression",
"name": "python.django.security.audit.extends-custom-expression.extends-custom-expression",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.extends-custom-expression.extends-custom-expression"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "QuerySet.extra\u0027 does not provide safeguards against SQL injection and requires very careful use. SQL injection can lead to critical data being stolen by attackers. Instead of using \u0027.extra\u0027, use the Django ORM and parameterized queries such as `People.objects.get(name=\u0027Bob\u0027)`."
},
"help": {
"markdown": "QuerySet.extra\u0027 does not provide safeguards against SQL injection and requires very careful use. SQL injection can lead to critical data being stolen by attackers. Instead of using \u0027.extra\u0027, use the Django ORM and parameterized queries such as `People.objects.get(name=\u0027Bob\u0027)`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.query-set-extra.avoid-query-set-extra)\n - [https://docs.djangoproject.com/en/3.0/ref/models/querysets/#django.db.models.query.QuerySet.extra](https://docs.djangoproject.com/en/3.0/ref/models/querysets/#django.db.models.query.QuerySet.extra)\n - [https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/](https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/)\n",
"text": "QuerySet.extra\u0027 does not provide safeguards against SQL injection and requires very careful use. SQL injection can lead to critical data being stolen by attackers. Instead of using \u0027.extra\u0027, use the Django ORM and parameterized queries such as `People.objects.get(name=\u0027Bob\u0027)`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.query-set-extra.avoid-query-set-extra",
"id": "python.django.security.audit.query-set-extra.avoid-query-set-extra",
"name": "python.django.security.audit.query-set-extra.avoid-query-set-extra",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.query-set-extra.avoid-query-set-extra"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the use of \u0027RawSQL\u0027 or \u0027raw\u0027 indicating the execution of a non-parameterized SQL query. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use Django ORM and parameterized queries before raw SQL. An example of using the Django ORM is: `People.objects.get(name=\u0027Bob\u0027)`"
},
"help": {
"markdown": "Detected the use of \u0027RawSQL\u0027 or \u0027raw\u0027 indicating the execution of a non-parameterized SQL query. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use Django ORM and parameterized queries before raw SQL. An example of using the Django ORM is: `People.objects.get(name=\u0027Bob\u0027)`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.raw-query.avoid-raw-sql)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#raw-sql-expressions](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#raw-sql-expressions)\n - [https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/](https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/)\n",
"text": "Detected the use of \u0027RawSQL\u0027 or \u0027raw\u0027 indicating the execution of a non-parameterized SQL query. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use Django ORM and parameterized queries before raw SQL. An example of using the Django ORM is: `People.objects.get(name=\u0027Bob\u0027)`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.raw-query.avoid-raw-sql",
"id": "python.django.security.audit.raw-query.avoid-raw-sql",
"name": "python.django.security.audit.raw-query.avoid-raw-sql",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.raw-query.avoid-raw-sql"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Django cookies should be handled securely by setting secure=True, httponly=True, and samesite=\u0027Lax\u0027 in response.set_cookie(...). If your situation calls for different settings, explicitly disable the setting. If you want to send the cookie over http, set secure=False. If you want to let client-side JavaScript read the cookie, set httponly=False. If you want to attach cookies to requests for external sites, set samesite=None."
},
"help": {
"markdown": "Django cookies should be handled securely by setting secure=True, httponly=True, and samesite=\u0027Lax\u0027 in response.set_cookie(...). If your situation calls for different settings, explicitly disable the setting. If you want to send the cookie over http, set secure=False. If you want to let client-side JavaScript read the cookie, set httponly=False. If you want to attach cookies to requests for external sites, set samesite=None.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.secure-cookies.django-secure-set-cookie)\n - [https://docs.djangoproject.com/en/3.0/ref/request-response/#django.http.HttpResponse.set_cookie](https://docs.djangoproject.com/en/3.0/ref/request-response/#django.http.HttpResponse.set_cookie)\n - [https://semgrep.dev/blog/2020/bento-check-keeping-cookies-safe-in-flask/](https://semgrep.dev/blog/2020/bento-check-keeping-cookies-safe-in-flask/)\n - [https://bento.dev/checks/flask/secure-set-cookie/](https://bento.dev/checks/flask/secure-set-cookie/)\n",
"text": "Django cookies should be handled securely by setting secure=True, httponly=True, and samesite=\u0027Lax\u0027 in response.set_cookie(...). If your situation calls for different settings, explicitly disable the setting. If you want to send the cookie over http, set secure=False. If you want to let client-side JavaScript read the cookie, set httponly=False. If you want to attach cookies to requests for external sites, set samesite=None.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.secure-cookies.django-secure-set-cookie",
"id": "python.django.security.audit.secure-cookies.django-secure-set-cookie",
"name": "python.django.security.audit.secure-cookies.django-secure-set-cookie",
"properties": {
"precision": "very-high",
"tags": [
"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.secure-cookies.django-secure-set-cookie"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a debug template tag in a Django template. This dumps debugging information to the page when debug mode is enabled. Showing debug information to users is dangerous because it may reveal information about your environment that malicious actors can use to gain access to the system. Remove the debug tag."
},
"help": {
"markdown": "Detected a debug template tag in a Django template. This dumps debugging information to the page when debug mode is enabled. Showing debug information to users is dangerous because it may reveal information about your environment that malicious actors can use to gain access to the system. Remove the debug tag.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.templates.debug-template-tag.debug-template-tag)\n - [https://docs.djangoproject.com/en/4.2/ref/templates/builtins/#debug](https://docs.djangoproject.com/en/4.2/ref/templates/builtins/#debug)\n - [https://stackoverflow.com/questions/2213977/django-debug-display-all-variables-of-a-page](https://stackoverflow.com/questions/2213977/django-debug-display-all-variables-of-a-page)\n",
"text": "Detected a debug template tag in a Django template. This dumps debugging information to the page when debug mode is enabled. Showing debug information to users is dangerous because it may reveal information about your environment that malicious actors can use to gain access to the system. Remove the debug tag.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.templates.debug-template-tag.debug-template-tag",
"id": "python.django.security.audit.templates.debug-template-tag.debug-template-tag",
"name": "python.django.security.audit.templates.debug-template-tag.debug-template-tag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-489: Active Debug Code",
"LOW CONFIDENCE",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.templates.debug-template-tag.debug-template-tag"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The password on \u0027$MODEL\u0027 is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information."
},
"help": {
"markdown": "The password on \u0027$MODEL\u0027 is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password)\n - [https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation](https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation)\n",
"text": "The password on \u0027$MODEL\u0027 is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password",
"id": "python.django.security.audit.unvalidated-password.unvalidated-password",
"name": "python.django.security.audit.unvalidated-password.unvalidated-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-521: Weak Password Requirements",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.unvalidated-password.unvalidated-password"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found a class extending \u0027SafeString\u0027, \u0027SafeText\u0027 or \u0027SafeData\u0027. These classes are for bypassing the escaping engine built in to Django and should not be used directly. Improper use of this class exposes your application to cross-site scripting (XSS) vulnerabilities. If you need this functionality, use \u0027mark_safe\u0027 instead and ensure no user data can reach it."
},
"help": {
"markdown": "Found a class extending \u0027SafeString\u0027, \u0027SafeText\u0027 or \u0027SafeData\u0027. These classes are for bypassing the escaping engine built in to Django and should not be used directly. Improper use of this class exposes your application to cross-site scripting (XSS) vulnerabilities. If you need this functionality, use \u0027mark_safe\u0027 instead and ensure no user data can reach it.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.class-extends-safestring.class-extends-safestring)\n - [https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping](https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping)\n - [https://github.com/django/django/blob/f138e75910b1e541686c4dce3d8f467f6fc234cb/django/utils/safestring.py#L11](https://github.com/django/django/blob/f138e75910b1e541686c4dce3d8f467f6fc234cb/django/utils/safestring.py#L11)\n",
"text": "Found a class extending \u0027SafeString\u0027, \u0027SafeText\u0027 or \u0027SafeData\u0027. These classes are for bypassing the escaping engine built in to Django and should not be used directly. Improper use of this class exposes your application to cross-site scripting (XSS) vulnerabilities. If you need this functionality, use \u0027mark_safe\u0027 instead and ensure no user data can reach it.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.class-extends-safestring.class-extends-safestring",
"id": "python.django.security.audit.xss.class-extends-safestring.class-extends-safestring",
"name": "python.django.security.audit.xss.class-extends-safestring.class-extends-safestring",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.class-extends-safestring.class-extends-safestring"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove \u0027autoescape: False\u0027 or set it to \u0027True\u0027."
},
"help": {
"markdown": "Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove \u0027autoescape: False\u0027 or set it to \u0027True\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off)\n - [https://docs.djangoproject.com/en/3.1/ref/settings/#templates](https://docs.djangoproject.com/en/3.1/ref/settings/#templates)\n - [https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates)\n",
"text": "Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove \u0027autoescape: False\u0027 or set it to \u0027True\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off",
"id": "python.django.security.audit.xss.context-autoescape-off.context-autoescape-off",
"name": "python.django.security.audit.xss.context-autoescape-off.context-autoescape-off",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.context-autoescape-off.context-autoescape-off"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected data rendered directly to the end user via \u0027HttpResponse\u0027 or a similar object. This bypasses Django\u0027s built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Django\u0027s template engine to safely render HTML."
},
"help": {
"markdown": "Detected data rendered directly to the end user via \u0027HttpResponse\u0027 or a similar object. This bypasses Django\u0027s built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Django\u0027s template engine to safely render HTML.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse)\n - [https://docs.djangoproject.com/en/3.1/intro/tutorial03/#a-shortcut-render](https://docs.djangoproject.com/en/3.1/intro/tutorial03/#a-shortcut-render)\n - [https://docs.djangoproject.com/en/3.1/topics/http/shortcuts/#render](https://docs.djangoproject.com/en/3.1/topics/http/shortcuts/#render)\n",
"text": "Detected data rendered directly to the end user via \u0027HttpResponse\u0027 or a similar object. This bypasses Django\u0027s built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Django\u0027s template engine to safely render HTML.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse",
"id": "python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse",
"name": "python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected Django filters flagged with \u0027is_safe\u0027. \u0027is_safe\u0027 tells Django not to apply escaping on the value returned by this filter (although the input is escaped). Used improperly, \u0027is_safe\u0027 could expose your application to cross-site scripting (XSS) vulnerabilities. Ensure this filter does not 1) add HTML characters, 2) remove characters, or 3) use external data in any way. Consider instead removing \u0027is_safe\u0027 and explicitly marking safe content with \u0027mark_safe()\u0027."
},
"help": {
"markdown": "Detected Django filters flagged with \u0027is_safe\u0027. \u0027is_safe\u0027 tells Django not to apply escaping on the value returned by this filter (although the input is escaped). Used improperly, \u0027is_safe\u0027 could expose your application to cross-site scripting (XSS) vulnerabilities. Ensure this filter does not 1) add HTML characters, 2) remove characters, or 3) use external data in any way. Consider instead removing \u0027is_safe\u0027 and explicitly marking safe content with \u0027mark_safe()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe)\n - [https://docs.djangoproject.com/en/3.1/topics/security/#cross-site-scripting-xss-protection](https://docs.djangoproject.com/en/3.1/topics/security/#cross-site-scripting-xss-protection)\n - [https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping](https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping)\n - [https://stackoverflow.com/questions/7665512/why-use-is-safe](https://stackoverflow.com/questions/7665512/why-use-is-safe)\n",
"text": "Detected Django filters flagged with \u0027is_safe\u0027. \u0027is_safe\u0027 tells Django not to apply escaping on the value returned by this filter (although the input is escaped). Used improperly, \u0027is_safe\u0027 could expose your application to cross-site scripting (XSS) vulnerabilities. Ensure this filter does not 1) add HTML characters, 2) remove characters, or 3) use external data in any way. Consider instead removing \u0027is_safe\u0027 and explicitly marking safe content with \u0027mark_safe()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe",
"id": "python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe",
"name": "python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Passing a formatted string as first parameter to `format_html` disables the proper encoding of variables. Any HTML in the first parameter is not encoded. Using a formatted string as first parameter obscures which parameters are encoded. Correct use of `format_html` is passing a static format string as first parameter, and the variables to substitute as subsequent parameters."
},
"help": {
"markdown": "Passing a formatted string as first parameter to `format_html` disables the proper encoding of variables. Any HTML in the first parameter is not encoded. Using a formatted string as first parameter obscures which parameters are encoded. Correct use of `format_html` is passing a static format string as first parameter, and the variables to substitute as subsequent parameters.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter)\n - [https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html](https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html)\n",
"text": "Passing a formatted string as first parameter to `format_html` disables the proper encoding of variables. Any HTML in the first parameter is not encoded. Using a formatted string as first parameter obscures which parameters are encoded. Correct use of `format_html` is passing a static format string as first parameter, and the variables to substitute as subsequent parameters.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter",
"id": "python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter",
"name": "python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Autoescape is globally disbaled for this Django application. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove \u0027autoescape: False\u0027 or set it to \u0027True\u0027."
},
"help": {
"markdown": "Autoescape is globally disbaled for this Django application. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove \u0027autoescape: False\u0027 or set it to \u0027True\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.global-autoescape-off.global-autoescape-off)\n - [https://docs.djangoproject.com/en/3.1/ref/settings/#templates](https://docs.djangoproject.com/en/3.1/ref/settings/#templates)\n - [https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates)\n",
"text": "Autoescape is globally disbaled for this Django application. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove \u0027autoescape: False\u0027 or set it to \u0027True\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.global-autoescape-off.global-autoescape-off",
"id": "python.django.security.audit.xss.global-autoescape-off.global-autoescape-off",
"name": "python.django.security.audit.xss.global-autoescape-off.global-autoescape-off",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.global-autoescape-off.global-autoescape-off"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The `__html__` method indicates to the Django template engine that the value is \u0027safe\u0027 for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method."
},
"help": {
"markdown": "The `__html__` method indicates to the Django template engine that the value is \u0027safe\u0027 for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.html-magic-method.html-magic-method)\n - [https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#conditional_escape](https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#conditional_escape)\n - [https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5](https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5)\n",
"text": "The `__html__` method indicates to the Django template engine that the value is \u0027safe\u0027 for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.html-magic-method.html-magic-method",
"id": "python.django.security.audit.xss.html-magic-method.html-magic-method",
"name": "python.django.security.audit.xss.html-magic-method.html-magic-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.html-magic-method.html-magic-method"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "`html_safe()` add the `__html__` magic method to the provided class. The `__html__` method indicates to the Django template engine that the value is \u0027safe\u0027 for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method."
},
"help": {
"markdown": "`html_safe()` add the `__html__` magic method to the provided class. The `__html__` method indicates to the Django template engine that the value is \u0027safe\u0027 for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.html-safe.html-safe)\n - [https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#html_safe](https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#html_safe)\n - [https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5](https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5)\n",
"text": "`html_safe()` add the `__html__` magic method to the provided class. The `__html__` method indicates to the Django template engine that the value is \u0027safe\u0027 for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.html-safe.html-safe",
"id": "python.django.security.audit.xss.html-safe.html-safe",
"name": "python.django.security.audit.xss.html-safe.html-safe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.html-safe.html-safe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a template block where autoescaping is explicitly disabled with \u0027{% autoescape off %}\u0027. This allows rendering of raw HTML in this segment. Turn autoescaping on to prevent cross-site scripting (XSS). If you must do this, consider instead, using `mark_safe` in Python code."
},
"help": {
"markdown": "Detected a template block where autoescaping is explicitly disabled with \u0027{% autoescape off %}\u0027. This allows rendering of raw HTML in this segment. Turn autoescaping on to prevent cross-site scripting (XSS). If you must do this, consider instead, using `mark_safe` in Python code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-autoescape-off.template-autoescape-off)\n - [https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#autoescape](https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#autoescape)\n",
"text": "Detected a template block where autoescaping is explicitly disabled with \u0027{% autoescape off %}\u0027. This allows rendering of raw HTML in this segment. Turn autoescaping on to prevent cross-site scripting (XSS). If you must do this, consider instead, using `mark_safe` in Python code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-autoescape-off.template-autoescape-off",
"id": "python.django.security.audit.xss.template-autoescape-off.template-autoescape-off",
"name": "python.django.security.audit.xss.template-autoescape-off.template-autoescape-off",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.template-autoescape-off.template-autoescape-off"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text."
},
"help": {
"markdown": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape)\n - [https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates](https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates)\n - [https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code](https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code)\n",
"text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape",
"id": "python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape",
"name": "python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text."
},
"help": {
"markdown": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape)\n - [https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates](https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates)\n - [https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code](https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code)\n",
"text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape",
"id": "python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape",
"name": "python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a template variable where autoescaping is explicitly disabled with \u0027| safeseq\u0027 filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability. If you must do this, use `mark_safe` in your Python code."
},
"help": {
"markdown": "Detected a template variable where autoescaping is explicitly disabled with \u0027| safeseq\u0027 filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability. If you must do this, use `mark_safe` in your Python code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq)\n - [https://docs.djangoproject.com/en/3.0/ref/templates/builtins/#safeseq](https://docs.djangoproject.com/en/3.0/ref/templates/builtins/#safeseq)\n",
"text": "Detected a template variable where autoescaping is explicitly disabled with \u0027| safeseq\u0027 filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability. If you must do this, use `mark_safe` in your Python code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq",
"id": "python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq",
"name": "python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks."
},
"help": {
"markdown": "Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token)\n - [https://docs.djangoproject.com/en/4.2/howto/csrf/](https://docs.djangoproject.com/en/4.2/howto/csrf/)\n",
"text": "Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token",
"id": "python.django.security.django-no-csrf-token.django-no-csrf-token",
"name": "python.django.security.django-no-csrf-token.django-no-csrf-token",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.django-no-csrf-token.django-no-csrf-token"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data"
},
"help": {
"markdown": "Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid)\n - [https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data](https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data)\n",
"text": "Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid",
"id": "python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid",
"name": "python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid",
"properties": {
"precision": "very-high",
"tags": [
"CWE-20: Improper Input Validation",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Using \u0027globals()\u0027 as a context to \u0027render(...)\u0027 is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use \u0027globals()\u0027. Instead, specify each variable in a dictionary or \u0027django.template.Context\u0027 object, like \u0027{\"var1\": \"hello\"}\u0027 and use that instead."
},
"help": {
"markdown": "Using \u0027globals()\u0027 as a context to \u0027render(...)\u0027 is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use \u0027globals()\u0027. Instead, specify each variable in a dictionary or \u0027django.template.Context\u0027 object, like \u0027{\"var1\": \"hello\"}\u0027 and use that instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.globals-as-template-context.globals-as-template-context)\n - [https://docs.djangoproject.com/en/3.2/ref/settings/#templates](https://docs.djangoproject.com/en/3.2/ref/settings/#templates)\n - [https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates)\n - [https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context](https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context)\n",
"text": "Using \u0027globals()\u0027 as a context to \u0027render(...)\u0027 is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use \u0027globals()\u0027. Instead, specify each variable in a dictionary or \u0027django.template.Context\u0027 object, like \u0027{\"var1\": \"hello\"}\u0027 and use that instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.globals-as-template-context.globals-as-template-context",
"id": "python.django.security.globals-as-template-context.globals-as-template-context",
"name": "python.django.security.globals-as-template-context.globals-as-template-context",
"properties": {
"precision": "very-high",
"tags": [
"CWE-96: Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.globals-as-template-context.globals-as-template-context"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The Django secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Django secret key can be obtained by attackers, through the HashIDs."
},
"help": {
"markdown": "The Django secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Django secret key can be obtained by attackers, through the HashIDs.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.hashids-with-django-secret.hashids-with-django-secret)\n - [https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECRET_KEY](https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECRET_KEY)\n - [http://carnage.github.io/2015/08/cryptanalysis-of-hashids](http://carnage.github.io/2015/08/cryptanalysis-of-hashids)\n",
"text": "The Django secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Django secret key can be obtained by attackers, through the HashIDs.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.hashids-with-django-secret.hashids-with-django-secret",
"id": "python.django.security.hashids-with-django-secret.hashids-with-django-secret",
"name": "python.django.security.hashids-with-django-secret.hashids-with-django-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 \u2013 Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.hashids-with-django-secret.hashids-with-django-secret"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found request data as an index to \u0027globals()\u0027. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use \u0027globals()\u0027."
},
"help": {
"markdown": "Found request data as an index to \u0027globals()\u0027. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use \u0027globals()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution)\n - [https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186](https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186)\n",
"text": "Found request data as an index to \u0027globals()\u0027. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use \u0027globals()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution",
"id": "python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution",
"name": "python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution",
"properties": {
"precision": "very-high",
"tags": [
"CWE-96: Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user data in a call to \u0027eval\u0027. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information."
},
"help": {
"markdown": "Found user data in a call to \u0027eval\u0027. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string)\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\n",
"text": "Found user data in a call to \u0027eval\u0027. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string",
"id": "python.django.security.injection.code.user-eval-format-string.user-eval-format-string",
"name": "python.django.security.injection.code.user-eval-format-string.user-eval-format-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.code.user-eval-format-string.user-eval-format-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user data in a call to \u0027eval\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need."
},
"help": {
"markdown": "Found user data in a call to \u0027eval\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-eval.user-eval)\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\n",
"text": "Found user data in a call to \u0027eval\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.code.user-eval.user-eval",
"id": "python.django.security.injection.code.user-eval.user-eval",
"name": "python.django.security.injection.code.user-eval.user-eval",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.code.user-eval.user-eval"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user data in a call to \u0027exec\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need."
},
"help": {
"markdown": "Found user data in a call to \u0027exec\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-exec-format-string.user-exec-format-string)\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\n",
"text": "Found user data in a call to \u0027exec\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.code.user-exec-format-string.user-exec-format-string",
"id": "python.django.security.injection.code.user-exec-format-string.user-exec-format-string",
"name": "python.django.security.injection.code.user-exec-format-string.user-exec-format-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.code.user-exec-format-string.user-exec-format-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user data in a call to \u0027exec\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need."
},
"help": {
"markdown": "Found user data in a call to \u0027exec\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-exec.user-exec)\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\n",
"text": "Found user data in a call to \u0027exec\u0027. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use \u0027eval\u0027 and instead use a safe library for the specific functionality you need.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.code.user-exec.user-exec",
"id": "python.django.security.injection.code.user-exec.user-exec",
"name": "python.django.security.injection.code.user-exec.user-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.code.user-exec.user-exec"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the \u0027subprocess\u0027 module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information."
},
"help": {
"markdown": "Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the \u0027subprocess\u0027 module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.command.command-injection-os-system.command-injection-os-system)\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\n",
"text": "Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the \u0027subprocess\u0027 module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.command.command-injection-os-system.command-injection-os-system",
"id": "python.django.security.injection.command.command-injection-os-system.command-injection-os-system",
"name": "python.django.security.injection.command.command-injection-os-system.command-injection-os-system",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.command.command-injection-os-system.command-injection-os-system"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands."
},
"help": {
"markdown": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.command.subprocess-injection.subprocess-injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
"text": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.command.subprocess-injection.subprocess-injection",
"id": "python.django.security.injection.command.subprocess-injection.subprocess-injection",
"name": "python.django.security.injection.command.subprocess-injection.subprocess-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.command.subprocess-injection.subprocess-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found request data in an EmailMessage that is set to use HTML. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS."
},
"help": {
"markdown": "Found request data in an EmailMessage that is set to use HTML. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.email.xss-html-email-body.xss-html-email-body)\n - [https://www.damonkohler.com/2008/12/email-injection.html](https://www.damonkohler.com/2008/12/email-injection.html)\n",
"text": "Found request data in an EmailMessage that is set to use HTML. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.email.xss-html-email-body.xss-html-email-body",
"id": "python.django.security.injection.email.xss-html-email-body.xss-html-email-body",
"name": "python.django.security.injection.email.xss-html-email-body.xss-html-email-body",
"properties": {
"precision": "very-high",
"tags": [
"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.email.xss-html-email-body.xss-html-email-body"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found request data in \u0027send_mail(...)\u0027 that uses \u0027html_message\u0027. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS."
},
"help": {
"markdown": "Found request data in \u0027send_mail(...)\u0027 that uses \u0027html_message\u0027. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message)\n - [https://www.damonkohler.com/2008/12/email-injection.html](https://www.damonkohler.com/2008/12/email-injection.html)\n",
"text": "Found request data in \u0027send_mail(...)\u0027 that uses \u0027html_message\u0027. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message",
"id": "python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message",
"name": "python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message",
"properties": {
"precision": "very-high",
"tags": [
"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Mass assignment detected. This can result in assignment to model fields that are unintended and can be exploited by an attacker. Instead of using \u0027**request.$W\u0027, assign each field you want to edit individually to prevent mass assignment. You can read more about mass assignment at https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html."
},
"help": {
"markdown": "Mass assignment detected. This can result in assignment to model fields that are unintended and can be exploited by an attacker. Instead of using \u0027**request.$W\u0027, assign each field you want to edit individually to prevent mass assignment. You can read more about mass assignment at https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.mass-assignment.mass-assignment)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\n",
"text": "Mass assignment detected. This can result in assignment to model fields that are unintended and can be exploited by an attacker. Instead of using \u0027**request.$W\u0027, assign each field you want to edit individually to prevent mass assignment. You can read more about mass assignment at https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.mass-assignment.mass-assignment",
"id": "python.django.security.injection.mass-assignment.mass-assignment",
"name": "python.django.security.injection.mass-assignment.mass-assignment",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.mass-assignment.mass-assignment"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Data from request ($DATA) is passed to redirect(). This is an open redirect and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url(). See https://cwe.mitre.org/data/definitions/601.html for more information."
},
"help": {
"markdown": "Data from request ($DATA) is passed to redirect(). This is an open redirect and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url(). See https://cwe.mitre.org/data/definitions/601.html for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.open-redirect.open-redirect)\n - [https://www.djm.org.uk/posts/djangos-little-protections-word-redirect-dangers/](https://www.djm.org.uk/posts/djangos-little-protections-word-redirect-dangers/)\n - [https://github.com/django/django/blob/d1b7bd030b1db111e1a3505b1fc029ab964382cc/django/utils/http.py#L231](https://github.com/django/django/blob/d1b7bd030b1db111e1a3505b1fc029ab964382cc/django/utils/http.py#L231)\n",
"text": "Data from request ($DATA) is passed to redirect(). This is an open redirect and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url(). See https://cwe.mitre.org/data/definitions/601.html for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.open-redirect.open-redirect",
"id": "python.django.security.injection.open-redirect.open-redirect",
"name": "python.django.security.injection.open-redirect.open-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.open-redirect.open-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Data from request is passed to a file name `$FILE`. This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library."
},
"help": {
"markdown": "Data from request is passed to a file name `$FILE`. This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n",
"text": "Data from request is passed to a file name `$FILE`. This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name",
"id": "python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name",
"name": "python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library."
},
"help": {
"markdown": "Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n",
"text": "Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join",
"id": "python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join",
"name": "python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found request data in a call to \u0027open\u0027. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library."
},
"help": {
"markdown": "Found request data in a call to \u0027open\u0027. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n",
"text": "Found request data in a call to \u0027open\u0027. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open",
"id": "python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open",
"name": "python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which will safely render HTML instead."
},
"help": {
"markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which will safely render HTML instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.raw-html-format.raw-html-format)\n - [https://docs.djangoproject.com/en/3.2/topics/http/shortcuts/#render](https://docs.djangoproject.com/en/3.2/topics/http/shortcuts/#render)\n - [https://docs.djangoproject.com/en/3.2/topics/security/#cross-site-scripting-xss-protection](https://docs.djangoproject.com/en/3.2/topics/security/#cross-site-scripting-xss-protection)\n",
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which will safely render HTML instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.raw-html-format.raw-html-format",
"id": "python.django.security.injection.raw-html-format.raw-html-format",
"name": "python.django.security.injection.raw-html-format.raw-html-format",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.raw-html-format.raw-html-format"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user-controlled request data passed into HttpResponse. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed."
},
"help": {
"markdown": "Found user-controlled request data passed into HttpResponse. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse)\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\n",
"text": "Found user-controlled request data passed into HttpResponse. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse",
"id": "python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse",
"name": "python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed."
},
"help": {
"markdown": "Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest)\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\n",
"text": "Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest",
"id": "python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest",
"name": "python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse."
},
"help": {
"markdown": "Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse)\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\n",
"text": "Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse",
"id": "python.django.security.injection.request-data-fileresponse.request-data-fileresponse",
"name": "python.django.security.injection.request-data-fileresponse.request-data-fileresponse",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.request-data-fileresponse.request-data-fileresponse"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user-controlled request data passed into \u0027.write(...)\u0027. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized."
},
"help": {
"markdown": "Found user-controlled request data passed into \u0027.write(...)\u0027. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.request-data-write.request-data-write)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Found user-controlled request data passed into \u0027.write(...)\u0027. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.request-data-write.request-data-write",
"id": "python.django.security.injection.request-data-write.request-data-write",
"name": "python.django.security.injection.request-data-write.request-data-write",
"properties": {
"precision": "very-high",
"tags": [
"CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.request-data-write.request-data-write"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User-controlled data from a request is passed to \u0027extra()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string."
},
"help": {
"markdown": "User-controlled data from a request is passed to \u0027extra()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#.objects.extra](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#.objects.extra)\n",
"text": "User-controlled data from a request is passed to \u0027extra()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where",
"id": "python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where",
"name": "python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User-controlled data from request is passed to \u0027RawSQL()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string."
},
"help": {
"markdown": "User-controlled data from request is passed to \u0027RawSQL()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL)\n",
"text": "User-controlled data from request is passed to \u0027RawSQL()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql",
"id": "python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql",
"name": "python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User-controlled data from a request is passed to \u0027execute()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django\u0027s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`."
},
"help": {
"markdown": "User-controlled data from a request is passed to \u0027execute()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django\u0027s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute)\n - [https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection](https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection)\n",
"text": "User-controlled data from a request is passed to \u0027execute()\u0027. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django\u0027s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute",
"id": "python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute",
"name": "python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Data that is possible user-controlled from a python request is passed to `raw()`. This could lead to SQL injection and attackers gaining access to protected information. Instead, use django\u0027s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`."
},
"help": {
"markdown": "Data that is possible user-controlled from a python request is passed to `raw()`. This could lead to SQL injection and attackers gaining access to protected information. Instead, use django\u0027s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw)\n - [https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection](https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection)\n",
"text": "Data that is possible user-controlled from a python request is passed to `raw()`. This could lead to SQL injection and attackers gaining access to protected information. Instead, use django\u0027s QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw",
"id": "python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw",
"name": "python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities."
},
"help": {
"markdown": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n",
"text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests",
"id": "python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests",
"name": "python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF), which could result in attackers gaining access to private organization data. To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request."
},
"help": {
"markdown": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF), which could result in attackers gaining access to private organization data. To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n",
"text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF), which could result in attackers gaining access to private organization data. To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib",
"id": "python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib",
"name": "python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries."
},
"help": {
"markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection](https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection)\n",
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.tainted-sql-string.tainted-sql-string",
"id": "python.django.security.injection.tainted-sql-string.tainted-sql-string",
"name": "python.django.security.injection.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."
},
"help": {
"markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host",
"id": "python.django.security.injection.tainted-url-host.tainted-url-host",
"name": "python.django.security.injection.tainted-url-host.tainted-url-host",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.injection.tainted-url-host.tainted-url-host"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Using \u0027locals()\u0027 as a context to \u0027render(...)\u0027 is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use \u0027locals()\u0027. Instead, specify each variable in a dictionary or \u0027django.template.Context\u0027 object, like \u0027{\"var1\": \"hello\"}\u0027 and use that instead."
},
"help": {
"markdown": "Using \u0027locals()\u0027 as a context to \u0027render(...)\u0027 is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use \u0027locals()\u0027. Instead, specify each variable in a dictionary or \u0027django.template.Context\u0027 object, like \u0027{\"var1\": \"hello\"}\u0027 and use that instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.locals-as-template-context.locals-as-template-context)\n - [https://docs.djangoproject.com/en/3.2/ref/settings/#templates](https://docs.djangoproject.com/en/3.2/ref/settings/#templates)\n - [https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates)\n - [https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context](https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context)\n",
"text": "Using \u0027locals()\u0027 as a context to \u0027render(...)\u0027 is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use \u0027locals()\u0027. Instead, specify each variable in a dictionary or \u0027django.template.Context\u0027 object, like \u0027{\"var1\": \"hello\"}\u0027 and use that instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.locals-as-template-context.locals-as-template-context",
"id": "python.django.security.locals-as-template-context.locals-as-template-context",
"name": "python.django.security.locals-as-template-context.locals-as-template-context",
"properties": {
"precision": "very-high",
"tags": [
"CWE-96: Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.locals-as-template-context.locals-as-template-context"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python\u0027s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string \u0027nan\u0027."
},
"help": {
"markdown": "Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python\u0027s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string \u0027nan\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.nan-injection.nan-injection)\n - [https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868](https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868)\n - [https://blog.bitdiscovery.com/2021/12/python-nan-injection/](https://blog.bitdiscovery.com/2021/12/python-nan-injection/)\n",
"text": "Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python\u0027s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string \u0027nan\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.nan-injection.nan-injection",
"id": "python.django.security.nan-injection.nan-injection",
"name": "python.django.security.nan-injection.nan-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-704: Incorrect Type Conversion or Cast",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.nan-injection.nan-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "\u0027$VAR\u0027 is the empty string and is being used to set the password on \u0027$MODEL\u0027. If you meant to set an unusable password, set the password to None or call \u0027set_unusable_password()\u0027."
},
"help": {
"markdown": "\u0027$VAR\u0027 is the empty string and is being used to set the password on \u0027$MODEL\u0027. If you meant to set an unusable password, set the password to None or call \u0027set_unusable_password()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.passwords.password-empty-string.password-empty-string)\n - [https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password](https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password)\n",
"text": "\u0027$VAR\u0027 is the empty string and is being used to set the password on \u0027$MODEL\u0027. If you meant to set an unusable password, set the password to None or call \u0027set_unusable_password()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.passwords.password-empty-string.password-empty-string",
"id": "python.django.security.passwords.password-empty-string.password-empty-string",
"name": "python.django.security.passwords.password-empty-string.password-empty-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-521: Weak Password Requirements",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.passwords.password-empty-string.password-empty-string"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "\u0027$VAR\u0027 is using the empty string as its default and is being used to set the password on \u0027$MODEL\u0027. If you meant to set an unusable password, set the default value to \u0027None\u0027 or call \u0027set_unusable_password()\u0027."
},
"help": {
"markdown": "\u0027$VAR\u0027 is using the empty string as its default and is being used to set the password on \u0027$MODEL\u0027. If you meant to set an unusable password, set the default value to \u0027None\u0027 or call \u0027set_unusable_password()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.passwords.use-none-for-password-default.use-none-for-password-default)\n - [https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password](https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password)\n",
"text": "\u0027$VAR\u0027 is using the empty string as its default and is being used to set the password on \u0027$MODEL\u0027. If you meant to set an unusable password, set the default value to \u0027None\u0027 or call \u0027set_unusable_password()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.django.security.passwords.use-none-for-password-default.use-none-for-password-default",
"id": "python.django.security.passwords.use-none-for-password-default.use-none-for-password-default",
"name": "python.django.security.passwords.use-none-for-password-default.use-none-for-password-default",
"properties": {
"precision": "very-high",
"tags": [
"CWE-521: Weak Password Requirements",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.django.security.passwords.use-none-for-password-default.use-none-for-password-default"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If unverified user data can reach the `run` or `create` method it can result in running arbitrary container."
},
"help": {
"markdown": "If unverified user data can reach the `run` or `create` method it can result in running arbitrary container.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run)\n - [https://cwe.mitre.org/data/definitions/250.html](https://cwe.mitre.org/data/definitions/250.html)\n",
"text": "If unverified user data can reach the `run` or `create` method it can result in running arbitrary container.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run",
"id": "python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run",
"name": "python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "CORS policy allows any origin (using wildcard \u0027*\u0027). This is insecure and should be avoided."
},
"help": {
"markdown": "CORS policy allows any origin (using wildcard \u0027*\u0027). This is insecure and should be avoided.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.security.wildcard-cors.wildcard-cors)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://cwe.mitre.org/data/definitions/942.html](https://cwe.mitre.org/data/definitions/942.html)\n",
"text": "CORS policy allows any origin (using wildcard \u0027*\u0027). This is insecure and should be avoided.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.fastapi.security.wildcard-cors.wildcard-cors",
"id": "python.fastapi.security.wildcard-cors.wildcard-cors",
"name": "python.fastapi.security.wildcard-cors.wildcard-cors",
"properties": {
"precision": "very-high",
"tags": [
"CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.fastapi.security.wildcard-cors.wildcard-cors"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Flask-caching doesn\u0027t cache query strings by default. You have to use `query_string=True`. Also you shouldn\u0027t cache verbs that can mutate state."
},
"help": {
"markdown": "Flask-caching doesn\u0027t cache query strings by default. You have to use `query_string=True`. Also you shouldn\u0027t cache verbs that can mutate state.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.caching.query-string.flask-cache-query-string)\n",
"text": "Flask-caching doesn\u0027t cache query strings by default. You have to use `query_string=True`. Also you shouldn\u0027t cache verbs that can mutate state.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.caching.query-string.flask-cache-query-string",
"id": "python.flask.caching.query-string.flask-cache-query-string",
"name": "python.flask.caching.query-string.flask-cache-query-string",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.caching.query-string.flask-cache-query-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Running flask app with host 0.0.0.0 could expose the server publicly."
},
"help": {
"markdown": "Running flask app with host 0.0.0.0 could expose the server publicly.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Running flask app with host 0.0.0.0 could expose the server publicly.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host",
"id": "python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host",
"name": "python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host",
"properties": {
"precision": "very-high",
"tags": [
"CWE-668: Exposure of Resource to Wrong Sphere",
"HIGH CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function"
},
"help": {
"markdown": "top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly",
"id": "python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly",
"name": "python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly",
"properties": {
"precision": "very-high",
"tags": [
"CWE-668: Exposure of Resource to Wrong Sphere",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting \u0027debug\u0027 using system environment variables."
},
"help": {
"markdown": "Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting \u0027debug\u0027 using system environment variables.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.debug-enabled.debug-enabled)\n - [https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/](https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/)\n",
"text": "Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting \u0027debug\u0027 using system environment variables.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.debug-enabled.debug-enabled",
"id": "python.flask.security.audit.debug-enabled.debug-enabled",
"name": "python.flask.security.audit.debug-enabled.debug-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-489: Active Debug Code",
"HIGH CONFIDENCE",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.debug-enabled.debug-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected Flask route directly returning a formatted string. This is subject to cross-site scripting if user input can reach the string. Consider using the template engine instead and rendering pages with \u0027render_template()\u0027."
},
"help": {
"markdown": "Detected Flask route directly returning a formatted string. This is subject to cross-site scripting if user input can reach the string. Consider using the template engine instead and rendering pages with \u0027render_template()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.directly-returned-format-string.directly-returned-format-string)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected Flask route directly returning a formatted string. This is subject to cross-site scripting if user input can reach the string. Consider using the template engine instead and rendering pages with \u0027render_template()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.directly-returned-format-string.directly-returned-format-string",
"id": "python.flask.security.audit.directly-returned-format-string.directly-returned-format-string",
"name": "python.flask.security.audit.directly-returned-format-string.directly-returned-format-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.directly-returned-format-string.directly-returned-format-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Function `flask.url_for` with `_external=True` argument will generate URLs using the `Host` header of the HTTP request, which may lead to security risks such as Host header injection"
},
"help": {
"markdown": "Function `flask.url_for` with `_external=True` argument will generate URLs using the `Host` header of the HTTP request, which may lead to security risks such as Host header injection\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true)\n - [https://flask.palletsprojects.com/en/latest/api/#flask.url_for](https://flask.palletsprojects.com/en/latest/api/#flask.url_for)\n - [https://portswigger.net/kb/issues/00500300_host-header-injection](https://portswigger.net/kb/issues/00500300_host-header-injection)\n",
"text": "Function `flask.url_for` with `_external=True` argument will generate URLs using the `Host` header of the HTTP request, which may lead to security risks such as Host header injection\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true",
"id": "python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true",
"name": "python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true",
"properties": {
"precision": "very-high",
"tags": [
"CWE-673: External Influence of Sphere Definition",
"HIGH CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable"
},
"help": {
"markdown": "Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n",
"text": "Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG",
"id": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG",
"name": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG",
"properties": {
"precision": "very-high",
"tags": [
"CWE-489: Active Debug Code",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Hardcoded variable `ENV` detected. Set this by using FLASK_ENV environment variable"
},
"help": {
"markdown": "Hardcoded variable `ENV` detected. Set this by using FLASK_ENV environment variable\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n",
"text": "Hardcoded variable `ENV` detected. Set this by using FLASK_ENV environment variable\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV",
"id": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV",
"name": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV",
"properties": {
"precision": "very-high",
"tags": [
"CWE-489: Active Debug Code",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead"
},
"help": {
"markdown": "Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n",
"text": "Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY",
"id": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY",
"name": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY",
"properties": {
"precision": "very-high",
"tags": [
"CWE-489: Active Debug Code",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Hardcoded variable `TESTING` detected. Use environment variables or config files instead"
},
"help": {
"markdown": "Hardcoded variable `TESTING` detected. Use environment variables or config files instead\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n",
"text": "Hardcoded variable `TESTING` detected. Use environment variables or config files instead\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING",
"id": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING",
"name": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING",
"properties": {
"precision": "very-high",
"tags": [
"CWE-489: Active Debug Code",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks."
},
"help": {
"markdown": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.render-template-string.render-template-string)\n - [https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html](https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html)\n",
"text": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.render-template-string.render-template-string",
"id": "python.flask.security.audit.render-template-string.render-template-string",
"name": "python.flask.security.audit.render-template-string.render-template-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-96: Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.render-template-string.render-template-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found a Flask cookie with insecurely configured properties. By default the secure, httponly and samesite ar configured insecurely. cookies should be handled securely by setting `secure=True`, `httponly=True`, and `samesite=\u0027Lax\u0027` in response.set_cookie(...). If these parameters are not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Include the `secure=True`, `httponly=True`, `samesite=\u0027Lax\u0027` arguments or set these to be true in the Flask configuration."
},
"help": {
"markdown": "Found a Flask cookie with insecurely configured properties. By default the secure, httponly and samesite ar configured insecurely. cookies should be handled securely by setting `secure=True`, `httponly=True`, and `samesite=\u0027Lax\u0027` in response.set_cookie(...). If these parameters are not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Include the `secure=True`, `httponly=True`, `samesite=\u0027Lax\u0027` arguments or set these to be true in the Flask configuration.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.secure-set-cookie.secure-set-cookie)\n - [https://flask.palletsprojects.com/en/3.0.x/api/#flask.Response.set_cookie](https://flask.palletsprojects.com/en/3.0.x/api/#flask.Response.set_cookie)\n - [https://flask.palletsprojects.com/en/3.0.x/security/#set-cookie-options](https://flask.palletsprojects.com/en/3.0.x/security/#set-cookie-options)\n",
"text": "Found a Flask cookie with insecurely configured properties. By default the secure, httponly and samesite ar configured insecurely. cookies should be handled securely by setting `secure=True`, `httponly=True`, and `samesite=\u0027Lax\u0027` in response.set_cookie(...). If these parameters are not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Include the `secure=True`, `httponly=True`, `samesite=\u0027Lax\u0027` arguments or set these to be true in the Flask configuration.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.secure-set-cookie.secure-set-cookie",
"id": "python.flask.security.audit.secure-set-cookie.secure-set-cookie",
"name": "python.flask.security.audit.secure-set-cookie.secure-set-cookie",
"properties": {
"precision": "very-high",
"tags": [
"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.secure-set-cookie.secure-set-cookie"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Setting \u0027WTF_CSRF_ENABLED\u0027 to \u0027False\u0027 explicitly disables CSRF protection."
},
"help": {
"markdown": "Setting \u0027WTF_CSRF_ENABLED\u0027 to \u0027False\u0027 explicitly disables CSRF protection.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled)\n - [https://flask-wtf.readthedocs.io/en/1.2.x/csrf/](https://flask-wtf.readthedocs.io/en/1.2.x/csrf/)\n",
"text": "Setting \u0027WTF_CSRF_ENABLED\u0027 to \u0027False\u0027 explicitly disables CSRF protection.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled",
"id": "python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled",
"name": "python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Be careful with `flask.make_response()`. If this response is rendered onto a webpage, this could create a cross-site scripting (XSS) vulnerability. `flask.make_response()` will not autoescape HTML. If you are rendering HTML, write your HTML in a template file and use `flask.render_template()` which will take care of escaping. If you are returning data from an API, consider using `flask.jsonify()`."
},
"help": {
"markdown": "Be careful with `flask.make_response()`. If this response is rendered onto a webpage, this could create a cross-site scripting (XSS) vulnerability. `flask.make_response()` will not autoescape HTML. If you are rendering HTML, write your HTML in a template file and use `flask.render_template()` which will take care of escaping. If you are returning data from an API, consider using `flask.jsonify()`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content)\n - [https://github.com/python-security/pyt//blob/093a077bcf12d1f58ddeb2d73ddc096623985fb0/examples/vulnerable_code/XSS_assign_to_other_var.py#L11](https://github.com/python-security/pyt//blob/093a077bcf12d1f58ddeb2d73ddc096623985fb0/examples/vulnerable_code/XSS_assign_to_other_var.py#L11)\n - [https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.make_response](https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.make_response)\n - [https://flask.palletsprojects.com/en/1.1.x/api/#response-objects](https://flask.palletsprojects.com/en/1.1.x/api/#response-objects)\n",
"text": "Be careful with `flask.make_response()`. If this response is rendered onto a webpage, this could create a cross-site scripting (XSS) vulnerability. `flask.make_response()` will not autoescape HTML. If you are rendering HTML, write your HTML in a template file and use `flask.render_template()` which will take care of escaping. If you are returning data from an API, consider using `flask.jsonify()`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content",
"id": "python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content",
"name": "python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks."
},
"help": {
"markdown": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.dangerous-template-string.dangerous-template-string)\n - [https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html](https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html)\n - [https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)\n",
"text": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.dangerous-template-string.dangerous-template-string",
"id": "python.flask.security.dangerous-template-string.dangerous-template-string",
"name": "python.flask.security.dangerous-template-string.dangerous-template-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-96: Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.dangerous-template-string.dangerous-template-string"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Method $METHOD in API controller $CLASS provides user arg $ARG to requests method $REQMETHOD"
},
"help": {
"markdown": "Method $METHOD in API controller $CLASS provides user arg $ARG to requests method $REQMETHOD\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.flask-api-method-string-format.flask-api-method-string-format)\n - [https://cwe.mitre.org/data/definitions/134.html](https://cwe.mitre.org/data/definitions/134.html)\n",
"text": "Method $METHOD in API controller $CLASS provides user arg $ARG to requests method $REQMETHOD\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.flask-api-method-string-format.flask-api-method-string-format",
"id": "python.flask.security.flask-api-method-string-format.flask-api-method-string-format",
"name": "python.flask.security.flask-api-method-string-format.flask-api-method-string-format",
"properties": {
"precision": "very-high",
"tags": [
"CWE-134: Use of Externally-Controlled Format String",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.flask-api-method-string-format.flask-api-method-string-format"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs."
},
"help": {
"markdown": "The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret)\n - [https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY](https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY)\n - [http://carnage.github.io/2015/08/cryptanalysis-of-hashids](http://carnage.github.io/2015/08/cryptanalysis-of-hashids)\n",
"text": "The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret",
"id": "python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret",
"name": "python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 \u2013 Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python\u0027s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string \u0027nan\u0027."
},
"help": {
"markdown": "Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python\u0027s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string \u0027nan\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.nan-injection.nan-injection)\n - [https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868](https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868)\n - [https://blog.bitdiscovery.com/2021/12/python-nan-injection/](https://blog.bitdiscovery.com/2021/12/python-nan-injection/)\n",
"text": "Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python\u0027s not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string \u0027nan\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.nan-injection.nan-injection",
"id": "python.flask.security.injection.nan-injection.nan-injection",
"name": "python.flask.security.injection.nan-injection.nan-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-704: Incorrect Type Conversion or Cast",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.nan-injection.nan-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "User data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the \u0027subprocess\u0027 module instead and pass the arguments as a list."
},
"help": {
"markdown": "User data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the \u0027subprocess\u0027 module instead and pass the arguments as a list.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.os-system-injection.os-system-injection)\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\n",
"text": "User data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the \u0027subprocess\u0027 module instead and pass the arguments as a list.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.os-system-injection.os-system-injection",
"id": "python.flask.security.injection.os-system-injection.os-system-injection",
"name": "python.flask.security.injection.os-system-injection.os-system-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.os-system-injection.os-system-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found request data in a call to \u0027open\u0027. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks."
},
"help": {
"markdown": "Found request data in a call to \u0027open\u0027. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.path-traversal-open.path-traversal-open)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n",
"text": "Found request data in a call to \u0027open\u0027. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.path-traversal-open.path-traversal-open",
"id": "python.flask.security.injection.path-traversal-open.path-traversal-open",
"name": "python.flask.security.injection.path-traversal-open.path-traversal-open",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.path-traversal-open.path-traversal-open"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`flask.render_template`) which will safely render HTML instead."
},
"help": {
"markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`flask.render_template`) which will safely render HTML instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.raw-html-concat.raw-html-format)\n - [https://flask.palletsprojects.com/en/2.0.x/security/#cross-site-scripting-xss](https://flask.palletsprojects.com/en/2.0.x/security/#cross-site-scripting-xss)\n",
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`flask.render_template`) which will safely render HTML instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.raw-html-concat.raw-html-format",
"id": "python.flask.security.injection.raw-html-concat.raw-html-format",
"name": "python.flask.security.injection.raw-html-concat.raw-html-format",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.raw-html-concat.raw-html-format"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request."
},
"help": {
"markdown": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.ssrf-requests.ssrf-requests)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n",
"text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.ssrf-requests.ssrf-requests",
"id": "python.flask.security.injection.ssrf-requests.ssrf-requests",
"name": "python.flask.security.injection.ssrf-requests.ssrf-requests",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.ssrf-requests.ssrf-requests"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands."
},
"help": {
"markdown": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
"text": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection",
"id": "python.flask.security.injection.subprocess-injection.subprocess-injection",
"name": "python.flask.security.injection.subprocess-injection.subprocess-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.subprocess-injection.subprocess-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries."
},
"help": {
"markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\n",
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string",
"id": "python.flask.security.injection.tainted-sql-string.tainted-sql-string",
"name": "python.flask.security.injection.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-704: Incorrect Type Conversion or Cast",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."
},
"help": {
"markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.tainted-url-host.tainted-url-host",
"id": "python.flask.security.injection.tainted-url-host.tainted-url-host",
"name": "python.flask.security.injection.tainted-url-host.tainted-url-host",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.tainted-url-host.tainted-url-host"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user data flowing into eval. This is code injection and should be avoided."
},
"help": {
"markdown": "Detected user data flowing into eval. This is code injection and should be avoided.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.user-eval.eval-injection)\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\n",
"text": "Detected user data flowing into eval. This is code injection and should be avoided.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.user-eval.eval-injection",
"id": "python.flask.security.injection.user-eval.eval-injection",
"name": "python.flask.security.injection.user-eval.eval-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.user-eval.eval-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user data flowing into exec. This is code injection and should be avoided."
},
"help": {
"markdown": "Detected user data flowing into exec. This is code injection and should be avoided.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection)\n - [https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html)\n",
"text": "Detected user data flowing into exec. This is code injection and should be avoided.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection",
"id": "python.flask.security.injection.user-exec.exec-injection",
"name": "python.flask.security.injection.user-exec.exec-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.injection.user-exec.exec-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected the use of an insecure deserialization library in a Flask route. These libraries are prone to code execution vulnerabilities. Ensure user data does not enter this function. To fix this, try to avoid serializing whole objects. Consider instead using a serializer such as JSON."
},
"help": {
"markdown": "Detected the use of an insecure deserialization library in a Flask route. These libraries are prone to code execution vulnerabilities. Ensure user data does not enter this function. To fix this, try to avoid serializing whole objects. Consider instead using a serializer such as JSON.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.insecure-deserialization.insecure-deserialization)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n",
"text": "Detected the use of an insecure deserialization library in a Flask route. These libraries are prone to code execution vulnerabilities. Ensure user data does not enter this function. To fix this, try to avoid serializing whole objects. Consider instead using a serializer such as JSON.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.insecure-deserialization.insecure-deserialization",
"id": "python.flask.security.insecure-deserialization.insecure-deserialization",
"name": "python.flask.security.insecure-deserialization.insecure-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.insecure-deserialization.insecure-deserialization"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Data from request is passed to redirect(). This is an open redirect and could be exploited. Consider using \u0027url_for()\u0027 to generate links to known locations. If you must use a URL to unknown pages, consider using \u0027urlparse()\u0027 or similar and checking if the \u0027netloc\u0027 property is the same as your site\u0027s host name. See the references for more information."
},
"help": {
"markdown": "Data from request is passed to redirect(). This is an open redirect and could be exploited. Consider using \u0027url_for()\u0027 to generate links to known locations. If you must use a URL to unknown pages, consider using \u0027urlparse()\u0027 or similar and checking if the \u0027netloc\u0027 property is the same as your site\u0027s host name. See the references for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.open-redirect.open-redirect)\n - [https://flask-login.readthedocs.io/en/latest/#login-example](https://flask-login.readthedocs.io/en/latest/#login-example)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html#dangerous-url-redirect-example-1](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html#dangerous-url-redirect-example-1)\n - [https://docs.python.org/3/library/urllib.parse.html#url-parsing](https://docs.python.org/3/library/urllib.parse.html#url-parsing)\n",
"text": "Data from request is passed to redirect(). This is an open redirect and could be exploited. Consider using \u0027url_for()\u0027 to generate links to known locations. If you must use a URL to unknown pages, consider using \u0027urlparse()\u0027 or similar and checking if the \u0027netloc\u0027 property is the same as your site\u0027s host name. See the references for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.open-redirect.open-redirect",
"id": "python.flask.security.open-redirect.open-redirect",
"name": "python.flask.security.open-redirect.open-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.open-redirect.open-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a user-controlled `filename` that could flow to `flask.send_file()` function. This could lead to an attacker reading arbitrary file from the system, leaking private information. Make sure to properly sanitize filename or use `flask.send_from_directory`"
},
"help": {
"markdown": "Detected a user-controlled `filename` that could flow to `flask.send_file()` function. This could lead to an attacker reading arbitrary file from the system, leaking private information. Make sure to properly sanitize filename or use `flask.send_from_directory`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Detected a user-controlled `filename` that could flow to `flask.send_file()` function. This could lead to an attacker reading arbitrary file from the system, leaking private information. Make sure to properly sanitize filename or use `flask.send_from_directory`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization",
"id": "python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization",
"name": "python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-73: External Control of File Name or Path",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Flask does not automatically escape Jinja templates unless they have .html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup for more information."
},
"help": {
"markdown": "Flask does not automatically escape Jinja templates unless they have .html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.unescaped-template-extension.unescaped-template-extension)\n - [https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup](https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup)\n - [https://semgrep.dev/blog/2020/bento-check-unescaped-template-extensions-in-flask/](https://semgrep.dev/blog/2020/bento-check-unescaped-template-extensions-in-flask/)\n - [https://bento.dev/checks/flask/unescaped-file-extension/](https://bento.dev/checks/flask/unescaped-file-extension/)\n",
"text": "Flask does not automatically escape Jinja templates unless they have .html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.unescaped-template-extension.unescaped-template-extension",
"id": "python.flask.security.unescaped-template-extension.unescaped-template-extension",
"name": "python.flask.security.unescaped-template-extension.unescaped-template-extension",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.unescaped-template-extension.unescaped-template-extension"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Flask response reflects unsanitized user input. This could lead to a cross-site scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which an attacker causes arbitrary code to be executed in the user\u0027s browser. To prevent, please sanitize the user input, e.g. by rendering the response in a Jinja2 template (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/)."
},
"help": {
"markdown": "Flask response reflects unsanitized user input. This could lead to a cross-site scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which an attacker causes arbitrary code to be executed in the user\u0027s browser. To prevent, please sanitize the user input, e.g. by rendering the response in a Jinja2 template (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.unsanitized-input.response-contains-unsanitized-input)\n - [https://flask.palletsprojects.com/en/1.0.x/security/](https://flask.palletsprojects.com/en/1.0.x/security/)\n - [https://owasp.org/www-community/attacks/xss/](https://owasp.org/www-community/attacks/xss/)\n",
"text": "Flask response reflects unsanitized user input. This could lead to a cross-site scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which an attacker causes arbitrary code to be executed in the user\u0027s browser. To prevent, please sanitize the user input, e.g. by rendering the response in a Jinja2 template (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.unsanitized-input.response-contains-unsanitized-input",
"id": "python.flask.security.unsanitized-input.response-contains-unsanitized-input",
"name": "python.flask.security.unsanitized-input.response-contains-unsanitized-input",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.unsanitized-input.response-contains-unsanitized-input"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method \u0027render_template()\u0027 and templates with a \u0027.html\u0027 extension in order to prevent XSS."
},
"help": {
"markdown": "Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method \u0027render_template()\u0027 and templates with a \u0027.html\u0027 extension in order to prevent XSS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2)\n - [https://jinja.palletsprojects.com/en/2.11.x/api/#basics](https://jinja.palletsprojects.com/en/2.11.x/api/#basics)\n",
"text": "Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method \u0027render_template()\u0027 and templates with a \u0027.html\u0027 extension in order to prevent XSS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2",
"id": "python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2",
"name": "python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected explicitly unescaped content using \u0027Markup()\u0027. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use \u0027Markup()\u0027."
},
"help": {
"markdown": "Detected explicitly unescaped content using \u0027Markup()\u0027. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use \u0027Markup()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup)\n - [https://tedboy.github.io/flask/generated/generated/flask.Markup.html](https://tedboy.github.io/flask/generated/generated/flask.Markup.html)\n",
"text": "Detected explicitly unescaped content using \u0027Markup()\u0027. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use \u0027Markup()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup",
"id": "python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup",
"name": "python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a segment of a Flask template where autoescaping is explicitly disabled with \u0027{% autoescape off %}\u0027. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability, or turn autoescape on."
},
"help": {
"markdown": "Detected a segment of a Flask template where autoescaping is explicitly disabled with \u0027{% autoescape off %}\u0027. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability, or turn autoescape on.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off)\n - [https://flask.palletsprojects.com/en/1.1.x/templating/#controlling-autoescaping](https://flask.palletsprojects.com/en/1.1.x/templating/#controlling-autoescaping)\n - [https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup](https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup)\n",
"text": "Detected a segment of a Flask template where autoescaping is explicitly disabled with \u0027{% autoescape off %}\u0027. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability, or turn autoescape on.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off",
"id": "python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off",
"name": "python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The object is passed strictly to jwt.encode(...) Make sure that sensitive information is not exposed through JWT token payload."
},
"help": {
"markdown": "The object is passed strictly to jwt.encode(...) Make sure that sensitive information is not exposed through JWT token payload.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "The object is passed strictly to jwt.encode(...) Make sure that sensitive information is not exposed through JWT token payload.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data",
"id": "python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data",
"name": "python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."
},
"help": {
"markdown": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n",
"text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials",
"id": "python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials",
"name": "python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"
},
"help": {
"markdown": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret)\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n",
"text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret",
"id": "python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret",
"name": "python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"HIGH CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027."
},
"help": {
"markdown": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-none-alg.jwt-python-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.jwt.security.jwt-none-alg.jwt-python-none-alg",
"id": "python.jwt.security.jwt-none-alg.jwt-python-none-alg",
"name": "python.jwt.security.jwt-none-alg.jwt-python-none-alg",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.jwt.security.jwt-none-alg.jwt-python-none-alg"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected JWT token decoded with \u0027verify=False\u0027. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified."
},
"help": {
"markdown": "Detected JWT token decoded with \u0027verify=False\u0027. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode)\n - [https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96](https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96)\n",
"text": "Detected JWT token decoded with \u0027verify=False\u0027. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode",
"id": "python.jwt.security.unverified-jwt-decode.unverified-jwt-decode",
"name": "python.jwt.security.unverified-jwt-decode.unverified-jwt-decode",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "the `errors` argument to Popen is only available on Python 3.6+"
},
"help": {
"markdown": "the `errors` argument to Popen is only available on Python 3.6+\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen1)\n",
"text": "the `errors` argument to Popen is only available on Python 3.6+\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen1",
"id": "python.lang.compatibility.python36.python36-compatibility-Popen1",
"name": "python.lang.compatibility.python36.python36-compatibility-Popen1",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python36.python36-compatibility-Popen1"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "the `encoding` argument to Popen is only available on Python 3.6+"
},
"help": {
"markdown": "the `encoding` argument to Popen is only available on Python 3.6+\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2)\n",
"text": "the `encoding` argument to Popen is only available on Python 3.6+\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2",
"id": "python.lang.compatibility.python36.python36-compatibility-Popen2",
"name": "python.lang.compatibility.python36.python36-compatibility-Popen2",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python36.python36-compatibility-Popen2"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "this function is only available on Python 3.6+"
},
"help": {
"markdown": "this function is only available on Python 3.6+\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-ssl)\n",
"text": "this function is only available on Python 3.6+\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-ssl",
"id": "python.lang.compatibility.python36.python36-compatibility-ssl",
"name": "python.lang.compatibility.python36.python36-compatibility-ssl",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python36.python36-compatibility-ssl"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found usage of the \u0027blocksize\u0027 argument in a HTTPConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below."
},
"help": {
"markdown": "Found usage of the \u0027blocksize\u0027 argument in a HTTPConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpconn)\n",
"text": "Found usage of the \u0027blocksize\u0027 argument in a HTTPConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpconn",
"id": "python.lang.compatibility.python37.python37-compatibility-httpconn",
"name": "python.lang.compatibility.python37.python37-compatibility-httpconn",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-httpconn"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found usage of the \u0027blocksize\u0027 argument in a HTTPSConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below."
},
"help": {
"markdown": "Found usage of the \u0027blocksize\u0027 argument in a HTTPSConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpsconn)\n",
"text": "Found usage of the \u0027blocksize\u0027 argument in a HTTPSConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpsconn",
"id": "python.lang.compatibility.python37.python37-compatibility-httpsconn",
"name": "python.lang.compatibility.python37.python37-compatibility-httpsconn",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-httpsconn"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "source_hash\u0027 is only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Instead, use another hash function."
},
"help": {
"markdown": "source_hash\u0027 is only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Instead, use another hash function.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib)\n",
"text": "source_hash\u0027 is only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Instead, use another hash function.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib",
"id": "python.lang.compatibility.python37.python37-compatibility-importlib",
"name": "python.lang.compatibility.python37.python37-compatibility-importlib",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-importlib"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found \u0027importlib.resources\u0027, which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions."
},
"help": {
"markdown": "Found \u0027importlib.resources\u0027, which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2)\n",
"text": "Found \u0027importlib.resources\u0027, which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2",
"id": "python.lang.compatibility.python37.python37-compatibility-importlib2",
"name": "python.lang.compatibility.python37.python37-compatibility-importlib2",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-importlib2"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found usage of \u0027importlib.abc.ResourceReader\u0027. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader."
},
"help": {
"markdown": "Found usage of \u0027importlib.abc.ResourceReader\u0027. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib3)\n",
"text": "Found usage of \u0027importlib.abc.ResourceReader\u0027. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib3",
"id": "python.lang.compatibility.python37.python37-compatibility-importlib3",
"name": "python.lang.compatibility.python37.python37-compatibility-importlib3",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-importlib3"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "IPv4Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in \u0027subnets\u0027."
},
"help": {
"markdown": "IPv4Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in \u0027subnets\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv4network1)\n",
"text": "IPv4Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in \u0027subnets\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv4network1",
"id": "python.lang.compatibility.python37.python37-compatibility-ipv4network1",
"name": "python.lang.compatibility.python37.python37-compatibility-ipv4network1",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-ipv4network1"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "IPv4Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in \u0027supernet\u0027."
},
"help": {
"markdown": "IPv4Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in \u0027supernet\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv4network2)\n",
"text": "IPv4Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in \u0027supernet\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv4network2",
"id": "python.lang.compatibility.python37.python37-compatibility-ipv4network2",
"name": "python.lang.compatibility.python37.python37-compatibility-ipv4network2",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-ipv4network2"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "IPv6Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in \u0027subnets\u0027."
},
"help": {
"markdown": "IPv6Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in \u0027subnets\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network1)\n",
"text": "IPv6Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in \u0027subnets\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network1",
"id": "python.lang.compatibility.python37.python37-compatibility-ipv6network1",
"name": "python.lang.compatibility.python37.python37-compatibility-ipv6network1",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-ipv6network1"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "IPv6Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in \u0027supernet\u0027."
},
"help": {
"markdown": "IPv6Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in \u0027supernet\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network2)\n",
"text": "IPv6Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in \u0027supernet\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network2",
"id": "python.lang.compatibility.python37.python37-compatibility-ipv6network2",
"name": "python.lang.compatibility.python37.python37-compatibility-ipv6network2",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-ipv6network2"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found usage of the \u0027monetary\u0027 argument in a function call of \u0027locale.format_string\u0027. This is only available on Python 3.7+ and is therefore not backwards compatible. Instead, remove the \u0027monetary\u0027 argument."
},
"help": {
"markdown": "Found usage of the \u0027monetary\u0027 argument in a function call of \u0027locale.format_string\u0027. This is only available on Python 3.7+ and is therefore not backwards compatible. Instead, remove the \u0027monetary\u0027 argument.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-locale1)\n",
"text": "Found usage of the \u0027monetary\u0027 argument in a function call of \u0027locale.format_string\u0027. This is only available on Python 3.7+ and is therefore not backwards compatible. Instead, remove the \u0027monetary\u0027 argument.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-locale1",
"id": "python.lang.compatibility.python37.python37-compatibility-locale1",
"name": "python.lang.compatibility.python37.python37-compatibility-locale1",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-locale1"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "math.remainder is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use math.fmod() or calculate $X - n* $Y."
},
"help": {
"markdown": "math.remainder is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use math.fmod() or calculate $X - n* $Y.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-math1)\n",
"text": "math.remainder is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use math.fmod() or calculate $X - n* $Y.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-math1",
"id": "python.lang.compatibility.python37.python37-compatibility-math1",
"name": "python.lang.compatibility.python37.python37-compatibility-math1",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-math1"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "multiprocessing.Process.close() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use join()."
},
"help": {
"markdown": "multiprocessing.Process.close() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use join().\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess1)\n",
"text": "multiprocessing.Process.close() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use join().\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess1",
"id": "python.lang.compatibility.python37.python37-compatibility-multiprocess1",
"name": "python.lang.compatibility.python37.python37-compatibility-multiprocess1",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-multiprocess1"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate()."
},
"help": {
"markdown": "multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate().\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2)\n",
"text": "multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate().\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2",
"id": "python.lang.compatibility.python37.python37-compatibility-multiprocess2",
"name": "python.lang.compatibility.python37.python37-compatibility-multiprocess2",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-multiprocess2"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread()."
},
"help": {
"markdown": "os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread().\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1)\n",
"text": "os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread().\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1",
"id": "python.lang.compatibility.python37.python37-compatibility-os1",
"name": "python.lang.compatibility.python37.python37-compatibility-os1",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-os1"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "os.pwritev() is only available on Python 3.3+ and is therefore not backwards compatible. Instead, use a combination of pwrite() and writev()."
},
"help": {
"markdown": "os.pwritev() is only available on Python 3.3+ and is therefore not backwards compatible. Instead, use a combination of pwrite() and writev().\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os2-ok2)\n",
"text": "os.pwritev() is only available on Python 3.3+ and is therefore not backwards compatible. Instead, use a combination of pwrite() and writev().\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os2-ok2",
"id": "python.lang.compatibility.python37.python37-compatibility-os2-ok2",
"name": "python.lang.compatibility.python37.python37-compatibility-os2-ok2",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-os2-ok2"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "pdb.set_trace() with the header argument is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use set_trace() without the header argument."
},
"help": {
"markdown": "pdb.set_trace() with the header argument is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use set_trace() without the header argument.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-pdb)\n",
"text": "pdb.set_trace() with the header argument is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use set_trace() without the header argument.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-pdb",
"id": "python.lang.compatibility.python37.python37-compatibility-pdb",
"name": "python.lang.compatibility.python37.python37-compatibility-pdb",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-pdb"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found usage of \u0027importlib.abc.ResourceReader\u0027. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader."
},
"help": {
"markdown": "Found usage of \u0027importlib.abc.ResourceReader\u0027. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper)\n",
"text": "Found usage of \u0027importlib.abc.ResourceReader\u0027. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper",
"id": "python.lang.compatibility.python37.python37-compatibility-textiowrapper",
"name": "python.lang.compatibility.python37.python37-compatibility-textiowrapper",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-textiowrapper"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection"
},
"help": {
"markdown": "The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv)\n - [https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection](https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection)\n",
"text": "The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv",
"id": "python.lang.security.audit.conn_recv.multiprocessing-recv",
"name": "python.lang.security.audit.conn_recv.multiprocessing-recv",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.conn_recv.multiprocessing-recv"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Annotations passed to `typing.get_type_hints` are evaluated in `globals` and `locals` namespaces. Make sure that no arbitrary value can be written as the annotation and passed to `typing.get_type_hints` function."
},
"help": {
"markdown": "Annotations passed to `typing.get_type_hints` are evaluated in `globals` and `locals` namespaces. Make sure that no arbitrary value can be written as the annotation and passed to `typing.get_type_hints` function.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage)\n - [https://docs.python.org/3/library/typing.html#typing.get_type_hints](https://docs.python.org/3/library/typing.html#typing.get_type_hints)\n",
"text": "Annotations passed to `typing.get_type_hints` are evaluated in `globals` and `locals` namespaces. Make sure that no arbitrary value can be written as the annotation and passed to `typing.get_type_hints` function.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage",
"id": "python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage",
"name": "python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a dynamic value being used with urllib. urllib supports \u0027file://\u0027 schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the \u0027requests\u0027 library instead."
},
"help": {
"markdown": "Detected a dynamic value being used with urllib. urllib supports \u0027file://\u0027 schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the \u0027requests\u0027 library instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected)\n - [https://cwe.mitre.org/data/definitions/939.html](https://cwe.mitre.org/data/definitions/939.html)\n",
"text": "Detected a dynamic value being used with urllib. urllib supports \u0027file://\u0027 schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the \u0027requests\u0027 library instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected",
"id": "python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected",
"name": "python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected",
"properties": {
"precision": "very-high",
"tags": [
"CWE-939: Improper Authorization in Handler for Custom URL Scheme",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."
},
"help": {
"markdown": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.eval-detected.eval-detected)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.eval-detected.eval-detected",
"id": "python.lang.security.audit.eval-detected.eval-detected",
"name": "python.lang.security.audit.eval-detected.eval-detected",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.eval-detected.eval-detected"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."
},
"help": {
"markdown": "Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected",
"id": "python.lang.security.audit.exec-detected.exec-detected",
"name": "python.lang.security.audit.exec-detected.exec-detected",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.exec-detected.exec-detected"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected possible formatted SQL query. Use parameterized queries instead."
},
"help": {
"markdown": "Detected possible formatted SQL query. Use parameterized queries instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query)\n - [https://stackoverflow.com/questions/775296/mysql-parameterized-queries](https://stackoverflow.com/questions/775296/mysql-parameterized-queries)\n",
"text": "Detected possible formatted SQL query. Use parameterized queries instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query",
"id": "python.lang.security.audit.formatted-sql-query.formatted-sql-query",
"name": "python.lang.security.audit.formatted-sql-query.formatted-sql-query",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.formatted-sql-query.formatted-sql-query"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Hardcoded password is used as a default argument to \u0027$FUNC\u0027. This could be dangerous if a real password is not supplied."
},
"help": {
"markdown": "Hardcoded password is used as a default argument to \u0027$FUNC\u0027. This could be dangerous if a real password is not supplied.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Hardcoded password is used as a default argument to \u0027$FUNC\u0027. This could be dangerous if a real password is not supplied.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument",
"id": "python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument",
"name": "python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"LOW CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information."
},
"help": {
"markdown": "The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.httpsconnection-detected.httpsconnection-detected)\n - [https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection](https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection)\n",
"text": "The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.httpsconnection-detected.httpsconnection-detected",
"id": "python.lang.security.audit.httpsconnection-detected.httpsconnection-detected",
"name": "python.lang.security.audit.httpsconnection-detected.httpsconnection-detected",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.httpsconnection-detected.httpsconnection-detected"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else."
},
"help": {
"markdown": "These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions",
"id": "python.lang.security.audit.insecure-file-permissions.insecure-file-permissions",
"name": "python.lang.security.audit.insecure-file-permissions.insecure-file-permissions",
"properties": {
"precision": "very-high",
"tags": [
"CWE-276: Incorrect Default Permissions",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-file-permissions.insecure-file-permissions"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "The \u0027FTP\u0027 class sends information unencrypted. Consider using the \u0027FTP_TLS\u0027 class instead."
},
"help": {
"markdown": "The \u0027FTP\u0027 class sends information unencrypted. Consider using the \u0027FTP_TLS\u0027 class instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls)\n - [https://docs.python.org/3/library/ftplib.html#ftplib.FTP_TLS](https://docs.python.org/3/library/ftplib.html#ftplib.FTP_TLS)\n",
"text": "The \u0027FTP\u0027 class sends information unencrypted. Consider using the \u0027FTP_TLS\u0027 class instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls",
"id": "python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls",
"name": "python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Detected a request using \u0027http://\u0027. This request will be unencrypted. Use \u0027https://\u0027 instead."
},
"help": {
"markdown": "Detected a request using \u0027http://\u0027. This request will be unencrypted. Use \u0027https://\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected a request using \u0027http://\u0027. This request will be unencrypted. Use \u0027https://\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context",
"id": "python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context",
"name": "python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Detected a request using \u0027http://\u0027. This request will be unencrypted. Use \u0027https://\u0027 instead."
},
"help": {
"markdown": "Detected a request using \u0027http://\u0027. This request will be unencrypted. Use \u0027https://\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected a request using \u0027http://\u0027. This request will be unencrypted. Use \u0027https://\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http",
"id": "python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http",
"name": "python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Detected a request using \u0027http://\u0027. This request will be unencrypted, and attackers could listen into traffic on the network and be able to obtain sensitive information. Use \u0027https://\u0027 instead."
},
"help": {
"markdown": "Detected a request using \u0027http://\u0027. This request will be unencrypted, and attackers could listen into traffic on the network and be able to obtain sensitive information. Use \u0027https://\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected a request using \u0027http://\u0027. This request will be unencrypted, and attackers could listen into traffic on the network and be able to obtain sensitive information. Use \u0027https://\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http",
"id": "python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http",
"name": "python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The \u0027ssl\u0027 module disables insecure cipher suites by default. Therefore, use of \u0027set_ciphers()\u0027 should only be used when you have very specialized requirements. Otherwise, you risk lowering the security of the SSL channel."
},
"help": {
"markdown": "The \u0027ssl\u0027 module disables insecure cipher suites by default. Therefore, use of \u0027set_ciphers()\u0027 should only be used when you have very specialized requirements. Otherwise, you risk lowering the security of the SSL channel.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers)\n - [https://docs.python.org/3/library/ssl.html#cipher-selection](https://docs.python.org/3/library/ssl.html#cipher-selection)\n - [https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers](https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers)\n",
"text": "The \u0027ssl\u0027 module disables insecure cipher suites by default. Therefore, use of \u0027set_ciphers()\u0027 should only be used when you have very specialized requirements. Otherwise, you risk lowering the security of the SSL channel.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers",
"id": "python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers",
"name": "python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an unsecured transmission channel. \u0027OpenerDirector.open(...)\u0027 is being used with \u0027ftp://\u0027. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP."
},
"help": {
"markdown": "Detected an unsecured transmission channel. \u0027OpenerDirector.open(...)\u0027 is being used with \u0027ftp://\u0027. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open)\n",
"text": "Detected an unsecured transmission channel. \u0027OpenerDirector.open(...)\u0027 is being used with \u0027ftp://\u0027. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an unsecured transmission channel. \u0027OpenerDirector.open(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel."
},
"help": {
"markdown": "Detected an unsecured transmission channel. \u0027OpenerDirector.open(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open)\n",
"text": "Detected an unsecured transmission channel. \u0027OpenerDirector.open(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a \u0027urllib.request.Request()\u0027 object using an insecure transport protocol, \u0027ftp://\u0027. This connection will not be encrypted. Consider using SFTP instead. urllib does not support SFTP natively, so consider using a library which supports SFTP."
},
"help": {
"markdown": "Detected a \u0027urllib.request.Request()\u0027 object using an insecure transport protocol, \u0027ftp://\u0027. This connection will not be encrypted. Consider using SFTP instead. urllib does not support SFTP natively, so consider using a library which supports SFTP.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.Request](https://docs.python.org/3/library/urllib.request.html#urllib.request.Request)\n",
"text": "Detected a \u0027urllib.request.Request()\u0027 object using an insecure transport protocol, \u0027ftp://\u0027. This connection will not be encrypted. Consider using SFTP instead. urllib does not support SFTP natively, so consider using a library which supports SFTP.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a \u0027urllib.request.Request()\u0027 object using an insecure transport protocol, \u0027http://\u0027. This connection will not be encrypted. Use \u0027https://\u0027 instead."
},
"help": {
"markdown": "Detected a \u0027urllib.request.Request()\u0027 object using an insecure transport protocol, \u0027http://\u0027. This connection will not be encrypted. Use \u0027https://\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.Request](https://docs.python.org/3/library/urllib.request.html#urllib.request.Request)\n",
"text": "Detected a \u0027urllib.request.Request()\u0027 object using an insecure transport protocol, \u0027http://\u0027. This connection will not be encrypted. Use \u0027https://\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected \u0027urllib.urlopen()\u0027 using \u0027ftp://\u0027. This request will not be encrypted. Consider using SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP."
},
"help": {
"markdown": "Detected \u0027urllib.urlopen()\u0027 using \u0027ftp://\u0027. This request will not be encrypted. Consider using SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen](https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen)\n",
"text": "Detected \u0027urllib.urlopen()\u0027 using \u0027ftp://\u0027. This request will not be encrypted. Consider using SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected \u0027urllib.urlopen()\u0027 using \u0027http://\u0027. This request will not be encrypted. Use \u0027https://\u0027 instead."
},
"help": {
"markdown": "Detected \u0027urllib.urlopen()\u0027 using \u0027http://\u0027. This request will not be encrypted. Use \u0027https://\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen](https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen)\n",
"text": "Detected \u0027urllib.urlopen()\u0027 using \u0027http://\u0027. This request will not be encrypted. Use \u0027https://\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an insecure transmission channel. \u0027URLopener.open(...)\u0027 is being used with \u0027ftp://\u0027. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP."
},
"help": {
"markdown": "Detected an insecure transmission channel. \u0027URLopener.open(...)\u0027 is being used with \u0027ftp://\u0027. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open)\n",
"text": "Detected an insecure transmission channel. \u0027URLopener.open(...)\u0027 is being used with \u0027ftp://\u0027. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an unsecured transmission channel. \u0027URLopener.open(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel."
},
"help": {
"markdown": "Detected an unsecured transmission channel. \u0027URLopener.open(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open)\n",
"text": "Detected an unsecured transmission channel. \u0027URLopener.open(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an insecure transmission channel. \u0027URLopener.retrieve(...)\u0027 is being used with \u0027ftp://\u0027. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP."
},
"help": {
"markdown": "Detected an insecure transmission channel. \u0027URLopener.retrieve(...)\u0027 is being used with \u0027ftp://\u0027. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve](https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve)\n",
"text": "Detected an insecure transmission channel. \u0027URLopener.retrieve(...)\u0027 is being used with \u0027ftp://\u0027. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an unsecured transmission channel. \u0027URLopener.retrieve(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel."
},
"help": {
"markdown": "Detected an unsecured transmission channel. \u0027URLopener.retrieve(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve](https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve)\n",
"text": "Detected an unsecured transmission channel. \u0027URLopener.retrieve(...)\u0027 is being used with \u0027http://\u0027. Use \u0027https://\u0027 instead to secure the channel.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected \u0027urllib.urlretrieve()\u0027 using \u0027ftp://\u0027. This request will not be encrypted. Use SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP."
},
"help": {
"markdown": "Detected \u0027urllib.urlretrieve()\u0027 using \u0027ftp://\u0027. This request will not be encrypted. Use SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve](https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve)\n",
"text": "Detected \u0027urllib.urlretrieve()\u0027 using \u0027ftp://\u0027. This request will not be encrypted. Use SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected \u0027urllib.urlretrieve()\u0027 using \u0027http://\u0027. This request will not be encrypted. Use \u0027https://\u0027 instead."
},
"help": {
"markdown": "Detected \u0027urllib.urlretrieve()\u0027 using \u0027http://\u0027. This request will not be encrypted. Use \u0027https://\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve](https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve)\n",
"text": "Detected \u0027urllib.urlretrieve()\u0027 using \u0027http://\u0027. This request will not be encrypted. Use \u0027https://\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve",
"id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve",
"name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations."
},
"help": {
"markdown": "Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval)\n - [https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen](https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen)\n",
"text": "Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval",
"id": "python.lang.security.audit.logging.listeneval.listen-eval",
"name": "python.lang.security.audit.logging.listeneval.listen-eval",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.logging.listeneval.listen-eval"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information."
},
"help": {
"markdown": "Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures)\n",
"text": "Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure",
"id": "python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure",
"name": "python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-532: Insertion of Sensitive Information into Log File",
"MEDIUM CONFIDENCE",
"OWASP-A09:2021 - Security Logging and Monitoring Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using \u0027| u\u0027 for URL escaping or \u0027| h\u0027 for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping."
},
"help": {
"markdown": "Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using \u0027| u\u0027 for URL escaping or \u0027| h\u0027 for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected)\n - [https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping](https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping)\n - [https://jinja.palletsprojects.com/en/2.11.x/intro/#](https://jinja.palletsprojects.com/en/2.11.x/intro/#)\n",
"text": "Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using \u0027| u\u0027 for URL escaping or \u0027| h\u0027 for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected",
"id": "python.lang.security.audit.mako-templates-detected.mako-templates-detected",
"name": "python.lang.security.audit.mako-templates-detected.mako-templates-detected",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.mako-templates-detected.mako-templates-detected"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security"
},
"help": {
"markdown": "The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.marshal.marshal-usage)\n - [https://docs.python.org/3/library/marshal.html?highlight=security](https://docs.python.org/3/library/marshal.html?highlight=security)\n",
"text": "The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.marshal.marshal-usage",
"id": "python.lang.security.audit.marshal.marshal-usage",
"name": "python.lang.security.audit.marshal.marshal-usage",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.marshal.marshal-usage"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`."
},
"help": {
"markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://docs.python.org/3/library/hashlib.html#hashlib.scrypt](https://docs.python.org/3/library/hashlib.html#hashlib.scrypt)\n",
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password",
"id": "python.lang.security.audit.md5-used-as-password.md5-used-as-password",
"name": "python.lang.security.audit.md5-used-as-password.md5-used-as-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.md5-used-as-password.md5-used-as-password"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Running `socket.bind` to 0.0.0.0, or empty string could unexpectedly expose the server publicly as it binds to all available interfaces. Consider instead getting correct address from an environment variable or configuration file."
},
"help": {
"markdown": "Running `socket.bind` to 0.0.0.0, or empty string could unexpectedly expose the server publicly as it binds to all available interfaces. Consider instead getting correct address from an environment variable or configuration file.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Running `socket.bind` to 0.0.0.0, or empty string could unexpectedly expose the server publicly as it binds to all available interfaces. Consider instead getting correct address from an environment variable or configuration file.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces",
"id": "python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces",
"name": "python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"HIGH CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "certificate verification explicitly disabled, insecure connections possible"
},
"help": {
"markdown": "certificate verification explicitly disabled, insecure connections possible\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "certificate verification explicitly disabled, insecure connections possible\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation",
"id": "python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation",
"name": "python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications."
},
"help": {
"markdown": "Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.network.http-not-https-connection.http-not-https-connection)\n - [https://urllib3.readthedocs.io/en/1.2.1/pools.html#urllib3.connectionpool.HTTPSConnectionPool](https://urllib3.readthedocs.io/en/1.2.1/pools.html#urllib3.connectionpool.HTTPSConnectionPool)\n",
"text": "Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.network.http-not-https-connection.http-not-https-connection",
"id": "python.lang.security.audit.network.http-not-https-connection.http-not-https-connection",
"name": "python.lang.security.audit.network.http-not-https-connection.http-not-https-connection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.network.http-not-https-connection.http-not-https-connection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code."
},
"help": {
"markdown": "Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.non-literal-import.non-literal-import)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.non-literal-import.non-literal-import",
"id": "python.lang.security.audit.non-literal-import.non-literal-import",
"name": "python.lang.security.audit.non-literal-import.non-literal-import",
"properties": {
"precision": "very-high",
"tags": [
"CWE-706: Use of Incorrectly-Resolved Name or Reference",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.non-literal-import.non-literal-import"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a paramiko host key policy that implicitly trusts a server\u0027s host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead."
},
"help": {
"markdown": "Detected a paramiko host key policy that implicitly trusts a server\u0027s host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key)\n - [http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.AutoAddPolicy](http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.AutoAddPolicy)\n",
"text": "Detected a paramiko host key policy that implicitly trusts a server\u0027s host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key",
"id": "python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key",
"name": "python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key",
"properties": {
"precision": "very-high",
"tags": [
"CWE-322: Key Exchange without Entity Authentication",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use \u0027ssl.create_default_context()\u0027 instead."
},
"help": {
"markdown": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use \u0027ssl.create_default_context()\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command)\n - [http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command](http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command)\n - [https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py](https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py)\n",
"text": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use \u0027ssl.create_default_context()\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command",
"id": "python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command",
"name": "python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT"
},
"help": {
"markdown": "Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.python-reverse-shell.python-reverse-shell)\n - [https://cwe.mitre.org/data/definitions/553.html](https://cwe.mitre.org/data/definitions/553.html)\n",
"text": "Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.python-reverse-shell.python-reverse-shell",
"id": "python.lang.security.audit.python-reverse-shell.python-reverse-shell",
"name": "python.lang.security.audit.python-reverse-shell.python-reverse-shell",
"properties": {
"precision": "very-high",
"tags": [
"CWE-553: Command Shell in Externally Accessible Directory",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.python-reverse-shell.python-reverse-shell"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security."
},
"help": {
"markdown": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sha224-hash.sha224-hash)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\n",
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.sha224-hash.sha224-hash",
"id": "python.lang.security.audit.sha224-hash.sha224-hash",
"name": "python.lang.security.audit.sha224-hash.sha224-hash",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.sha224-hash.sha224-hash"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in an aiopg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can create parameterized queries like so: \u0027cur.execute(\"SELECT %s FROM table\", (user_value,))\u0027."
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in an aiopg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can create parameterized queries like so: \u0027cur.execute(\"SELECT %s FROM table\", (user_value,))\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli)\n - [https://github.com/aio-libs/aiopg](https://github.com/aio-libs/aiopg)\n",
"text": "Detected string concatenation with a non-literal variable in an aiopg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can create parameterized queries like so: \u0027cur.execute(\"SELECT %s FROM table\", (user_value,))\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli",
"id": "python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli",
"name": "python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: \u0027conn.fetch(\"SELECT $1 FROM table\", value)\u0027. You can also create prepared statements with \u0027Connection.prepare\u0027: \u0027stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)\u0027"
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: \u0027conn.fetch(\"SELECT $1 FROM table\", value)\u0027. You can also create prepared statements with \u0027Connection.prepare\u0027: \u0027stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)\u0027\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli)\n - [https://github.com/MagicStack/asyncpg](https://github.com/MagicStack/asyncpg)\n - [https://magicstack.github.io/asyncpg/current/](https://magicstack.github.io/asyncpg/current/)\n",
"text": "Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: \u0027conn.fetch(\"SELECT $1 FROM table\", value)\u0027. You can also create prepared statements with \u0027Connection.prepare\u0027: \u0027stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)\u0027\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli",
"id": "python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli",
"name": "python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a pg8000 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: \u0027conn.run(\"SELECT :value FROM table\", value=myvalue)\u0027. You can also create prepared statements with \u0027conn.prepare\u0027: \u0027conn.prepare(\"SELECT (:v) FROM table\")\u0027"
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a pg8000 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: \u0027conn.run(\"SELECT :value FROM table\", value=myvalue)\u0027. You can also create prepared statements with \u0027conn.prepare\u0027: \u0027conn.prepare(\"SELECT (:v) FROM table\")\u0027\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli)\n - [https://github.com/tlocke/pg8000](https://github.com/tlocke/pg8000)\n",
"text": "Detected string concatenation with a non-literal variable in a pg8000 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: \u0027conn.run(\"SELECT :value FROM table\", value=myvalue)\u0027. You can also create prepared statements with \u0027conn.prepare\u0027: \u0027conn.prepare(\"SELECT (:v) FROM table\")\u0027\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli",
"id": "python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli",
"name": "python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a \u0027sql.SQL\u0027 string. You can also use the pyformat binding style to create parameterized queries. For example: \u0027cur.execute(SELECT * FROM table WHERE name=%s, user_input)\u0027"
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a \u0027sql.SQL\u0027 string. You can also use the pyformat binding style to create parameterized queries. For example: \u0027cur.execute(SELECT * FROM table WHERE name=%s, user_input)\u0027\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli)\n - [https://www.psycopg.org/docs/sql.html](https://www.psycopg.org/docs/sql.html)\n",
"text": "Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a \u0027sql.SQL\u0027 string. You can also use the pyformat binding style to create parameterized queries. For example: \u0027cur.execute(SELECT * FROM table WHERE name=%s, user_input)\u0027\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli",
"id": "python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli",
"name": "python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027ssl.wrap_socket()\u0027 is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using \u0027ssl.SSLContext()\u0027 and use that to wrap a socket."
},
"help": {
"markdown": "\u0027ssl.wrap_socket()\u0027 is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using \u0027ssl.SSLContext()\u0027 and use that to wrap a socket.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated)\n - [https://docs.python.org/3/library/ssl.html#ssl.wrap_socket](https://docs.python.org/3/library/ssl.html#ssl.wrap_socket)\n - [https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket](https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket)\n",
"text": "\u0027ssl.wrap_socket()\u0027 is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using \u0027ssl.SSLContext()\u0027 and use that to wrap a socket.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated",
"id": "python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated",
"name": "python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found \u0027subprocess\u0027 function \u0027$FUNC\u0027 with \u0027shell=True\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027shell=False\u0027 instead."
},
"help": {
"markdown": "Found \u0027subprocess\u0027 function \u0027$FUNC\u0027 with \u0027shell=True\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027shell=False\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.subprocess-shell-true.subprocess-shell-true)\n - [https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess](https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess)\n - [https://docs.python.org/3/library/subprocess.html](https://docs.python.org/3/library/subprocess.html)\n",
"text": "Found \u0027subprocess\u0027 function \u0027$FUNC\u0027 with \u0027shell=True\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027shell=False\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.subprocess-shell-true.subprocess-shell-true",
"id": "python.lang.security.audit.subprocess-shell-true.subprocess-shell-true",
"name": "python.lang.security.audit.subprocess-shell-true.subprocess-shell-true",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.subprocess-shell-true.subprocess-shell-true"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named \u0027-e sh script.sh\u0027 -- this will execute a script when \u0027rsync\u0027 is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information."
},
"help": {
"markdown": "Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named \u0027-e sh script.sh\u0027 -- this will execute a script when \u0027rsync\u0027 is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected)\n - [https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt](https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt)\n",
"text": "Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named \u0027-e sh script.sh\u0027 -- this will execute a script when \u0027rsync\u0027 is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected",
"id": "python.lang.security.audit.system-wildcard-detected.system-wildcard-detected",
"name": "python.lang.security.audit.system-wildcard-detected.system-wildcard-detected",
"properties": {
"precision": "very-high",
"tags": [
"CWE-155: Improper Neutralization of Wildcards or Matching Symbols",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.system-wildcard-detected.system-wildcard-detected"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Telnet does not encrypt communications. Use SSH instead."
},
"help": {
"markdown": "Telnet does not encrypt communications. Use SSH instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.telnetlib.telnetlib)\n - [https://docs.python.org/3/library/telnetlib.html](https://docs.python.org/3/library/telnetlib.html)\n",
"text": "Telnet does not encrypt communications. Use SSH instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.telnetlib.telnetlib",
"id": "python.lang.security.audit.telnetlib.telnetlib",
"name": "python.lang.security.audit.telnetlib.telnetlib",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.telnetlib.telnetlib"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use \u0027ssl.PROTOCOL_TLSv1_2\u0027 or higher."
},
"help": {
"markdown": "An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use \u0027ssl.PROTOCOL_TLSv1_2\u0027 or higher.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.weak-ssl-version.weak-ssl-version)\n - [https://tools.ietf.org/html/rfc7568](https://tools.ietf.org/html/rfc7568)\n - [https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html](https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html)\n - [https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLSv1_2](https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLSv1_2)\n",
"text": "An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use \u0027ssl.PROTOCOL_TLSv1_2\u0027 or higher.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.audit.weak-ssl-version.weak-ssl-version",
"id": "python.lang.security.audit.weak-ssl-version.weak-ssl-version",
"name": "python.lang.security.audit.weak-ssl-version.weak-ssl-version",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.audit.weak-ssl-version.weak-ssl-version"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code."
},
"help": {
"markdown": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-code-run.dangerous-interactive-code-run)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
"text": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-code-run.dangerous-interactive-code-run",
"id": "python.lang.security.dangerous-code-run.dangerous-interactive-code-run",
"name": "python.lang.security.dangerous-code-run.dangerous-interactive-code-run",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.dangerous-code-run.dangerous-interactive-code-run"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found non static data as an index to \u0027globals()\u0027. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use \u0027globals()\u0027."
},
"help": {
"markdown": "Found non static data as an index to \u0027globals()\u0027. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use \u0027globals()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-globals-use.dangerous-globals-use)\n - [https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186](https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186)\n",
"text": "Found non static data as an index to \u0027globals()\u0027. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use \u0027globals()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-globals-use.dangerous-globals-use",
"id": "python.lang.security.dangerous-globals-use.dangerous-globals-use",
"name": "python.lang.security.dangerous-globals-use.dangerous-globals-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-96: Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.dangerous-globals-use.dangerous-globals-use"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands."
},
"help": {
"markdown": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-os-exec.dangerous-os-exec)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
"text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-os-exec.dangerous-os-exec",
"id": "python.lang.security.dangerous-os-exec.dangerous-os-exec",
"name": "python.lang.security.dangerous-os-exec.dangerous-os-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.dangerous-os-exec.dangerous-os-exec"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands."
},
"help": {
"markdown": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-spawn-process.dangerous-spawn-process)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
"text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-spawn-process.dangerous-spawn-process",
"id": "python.lang.security.dangerous-spawn-process.dangerous-spawn-process",
"name": "python.lang.security.dangerous-spawn-process.dangerous-spawn-process",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.dangerous-spawn-process.dangerous-spawn-process"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code."
},
"help": {
"markdown": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string)\n - [https://bugs.python.org/issue43472](https://bugs.python.org/issue43472)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
"text": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string",
"id": "python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string",
"name": "python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected subprocess function \u0027$FUNC\u0027 with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using \u0027shlex.escape()\u0027."
},
"help": {
"markdown": "Detected subprocess function \u0027$FUNC\u0027 with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using \u0027shlex.escape()\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use)\n - [https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess](https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess)\n - [https://docs.python.org/3/library/subprocess.html](https://docs.python.org/3/library/subprocess.html)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
"text": "Detected subprocess function \u0027$FUNC\u0027 with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using \u0027shlex.escape()\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use",
"id": "python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use",
"name": "python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the \u0027subprocess\u0027 module instead, which is easier to use without accidentally exposing a command injection vulnerability."
},
"help": {
"markdown": "Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the \u0027subprocess\u0027 module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-system-call.dangerous-system-call)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
"text": "Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the \u0027subprocess\u0027 module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-system-call.dangerous-system-call",
"id": "python.lang.security.dangerous-system-call.dangerous-system-call",
"name": "python.lang.security.dangerous-system-call.dangerous-system-call",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.dangerous-system-call.dangerous-system-call"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code."
},
"help": {
"markdown": "Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
"text": "Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp",
"id": "python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp",
"name": "python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp",
"properties": {
"precision": "very-high",
"tags": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module."
},
"help": {
"markdown": "Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle)\n - [https://github.com/jsonpickle/jsonpickle#jsonpickle](https://github.com/jsonpickle/jsonpickle#jsonpickle)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n",
"text": "Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle",
"id": "python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle",
"name": "python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead."
},
"help": {
"markdown": "Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n",
"text": "Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load",
"id": "python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load",
"name": "python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ=\u0027rt\u0027)` or `YAML(typ=\u0027safe\u0027)` instead."
},
"help": {
"markdown": "Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ=\u0027rt\u0027)` or `YAML(typ=\u0027safe\u0027)` instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel)\n - [https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ](https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ)\n",
"text": "Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ=\u0027rt\u0027)` or `YAML(typ=\u0027safe\u0027)` instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel",
"id": "python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel",
"name": "python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."
},
"help": {
"markdown": "Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n",
"text": "Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle",
"id": "python.lang.security.deserialization.pickle.avoid-cPickle",
"name": "python.lang.security.deserialization.pickle.avoid-cPickle",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.deserialization.pickle.avoid-cPickle"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid using `dill`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."
},
"help": {
"markdown": "Avoid using `dill`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-dill)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n",
"text": "Avoid using `dill`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-dill",
"id": "python.lang.security.deserialization.pickle.avoid-dill",
"name": "python.lang.security.deserialization.pickle.avoid-dill",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.deserialization.pickle.avoid-dill"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."
},
"help": {
"markdown": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-pickle)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n",
"text": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-pickle",
"id": "python.lang.security.deserialization.pickle.avoid-pickle",
"name": "python.lang.security.deserialization.pickle.avoid-pickle",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"LOW CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.deserialization.pickle.avoid-pickle"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid using `shelve`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."
},
"help": {
"markdown": "Avoid using `shelve`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-shelve)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n",
"text": "Avoid using `shelve`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-shelve",
"id": "python.lang.security.deserialization.pickle.avoid-shelve",
"name": "python.lang.security.deserialization.pickle.avoid-shelve",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.deserialization.pickle.avoid-shelve"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
},
"help": {
"markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1",
"id": "python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1",
"name": "python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using \u0027SHA256\u0027 or a similar function instead."
},
"help": {
"markdown": "Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using \u0027SHA256\u0027 or a similar function instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-hash-function.insecure-hash-function)\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
"text": "Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using \u0027SHA256\u0027 or a similar function instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.insecure-hash-function.insecure-hash-function",
"id": "python.lang.security.insecure-hash-function.insecure-hash-function",
"name": "python.lang.security.insecure-hash-function.insecure-hash-function",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.insecure-hash-function.insecure-hash-function"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security."
},
"help": {
"markdown": "Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version)\n - [https://www.landh.tech/blog/20230811-sandwich-attack/](https://www.landh.tech/blog/20230811-sandwich-attack/)\n",
"text": "Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version",
"id": "python.lang.security.insecure-uuid-version.insecure-uuid-version",
"name": "python.lang.security.insecure-uuid-version.insecure-uuid-version",
"properties": {
"precision": "very-high",
"tags": [
"CWE-330: Use of Insufficiently Random Values",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.insecure-uuid-version.insecure-uuid-version"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use \u0027ssl.create_default_context\u0027 instead."
},
"help": {
"markdown": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use \u0027ssl.create_default_context\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context)\n - [https://docs.python.org/3/library/ssl.html#ssl-security](https://docs.python.org/3/library/ssl.html#ssl-security)\n - [https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection](https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection)\n",
"text": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use \u0027ssl.create_default_context\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context",
"id": "python.lang.security.unverified-ssl-context.unverified-ssl-context",
"name": "python.lang.security.unverified-ssl-context.unverified-ssl-context",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.unverified-ssl-context.unverified-ssl-context"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and \"XML bombs\" can cause denial of service. Do not use this library to parse untrusted input. Instead the Python documentation recommends using `defusedxml`."
},
"help": {
"markdown": "The native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and \"XML bombs\" can cause denial of service. Do not use this library to parse untrusted input. Instead the Python documentation recommends using `defusedxml`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.use-defused-xml-parse.use-defused-xml-parse)\n - [https://docs.python.org/3/library/xml.html](https://docs.python.org/3/library/xml.html)\n - [https://github.com/tiran/defusedxml](https://github.com/tiran/defusedxml)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n",
"text": "The native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and \"XML bombs\" can cause denial of service. Do not use this library to parse untrusted input. Instead the Python documentation recommends using `defusedxml`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.use-defused-xml-parse.use-defused-xml-parse",
"id": "python.lang.security.use-defused-xml-parse.use-defused-xml-parse",
"name": "python.lang.security.use-defused-xml-parse.use-defused-xml-parse",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"MEDIUM CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.use-defused-xml-parse.use-defused-xml-parse"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead."
},
"help": {
"markdown": "Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n",
"text": "Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc",
"id": "python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc",
"name": "python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc",
"properties": {
"precision": "very-high",
"tags": [
"CWE-776: Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)",
"LOW CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected Blowfish cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."
},
"help": {
"markdown": "Detected Blowfish cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish)\n - [https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption](https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n",
"text": "Detected Blowfish cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish",
"id": "python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish",
"name": "python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."
},
"help": {
"markdown": "Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des)\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n",
"text": "Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des",
"id": "python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des",
"name": "python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected RC2 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."
},
"help": {
"markdown": "Detected RC2 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2)\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n",
"text": "Detected RC2 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2",
"id": "python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2",
"name": "python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."
},
"help": {
"markdown": "Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4)\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n",
"text": "Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4",
"id": "python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4",
"name": "python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead."
},
"help": {
"markdown": "Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor)\n - [https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption](https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption)\n",
"text": "Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor",
"id": "python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor",
"name": "python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."
},
"help": {
"markdown": "Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2)\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
"text": "Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2",
"id": "python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2",
"name": "python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."
},
"help": {
"markdown": "Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4)\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
"text": "Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4",
"id": "python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4",
"name": "python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."
},
"help": {
"markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5)\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
"text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5",
"id": "python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5",
"name": "python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
},
"help": {
"markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
"text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1",
"id": "python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1",
"name": "python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher."
},
"help": {
"markdown": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size)\n - [https://www.pycryptodome.org/src/public_key/dsa](https://www.pycryptodome.org/src/public_key/dsa)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf)\n",
"text": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size",
"id": "python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size",
"name": "python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an insufficient key size for RSA. NIST recommends a key size of 3072 or higher."
},
"help": {
"markdown": "Detected an insufficient key size for RSA. NIST recommends a key size of 3072 or higher.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\n - [https://www.pycryptodome.org/src/public_key/rsa#rsa](https://www.pycryptodome.org/src/public_key/rsa#rsa)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf)\n",
"text": "Detected an insufficient key size for RSA. NIST recommends a key size of 3072 or higher.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
"id": "python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
"name": "python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details)."
},
"help": {
"markdown": "Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth)\n - [https://cwe.mitre.org/data/definitions/477.html](https://cwe.mitre.org/data/definitions/477.html)\n",
"text": "Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth",
"id": "python.pymongo.security.mongodb.mongo-client-bad-auth",
"name": "python.pymongo.security.mongodb.mongo-client-bad-auth",
"properties": {
"precision": "very-high",
"tags": [
"CWE-477: Use of Obsolete Function",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pymongo.security.mongodb.mongo-client-bad-auth"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected data rendered directly to the end user via \u0027Response\u0027. This bypasses Pyramid\u0027s built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Pyramid\u0027s template engines to safely render HTML."
},
"help": {
"markdown": "Detected data rendered directly to the end user via \u0027Response\u0027. This bypasses Pyramid\u0027s built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Pyramid\u0027s template engines to safely render HTML.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected data rendered directly to the end user via \u0027Response\u0027. This bypasses Pyramid\u0027s built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Pyramid\u0027s template engines to safely render HTML.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response",
"id": "python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response",
"name": "python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements."
},
"help": {
"markdown": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection)\n - [https://docs.sqlalchemy.org/en/14/tutorial/data_select.html#tutorial-selecting-data](https://docs.sqlalchemy.org/en/14/tutorial/data_select.html#tutorial-selecting-data)\n",
"text": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection",
"id": "python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection",
"name": "python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation."
},
"help": {
"markdown": "Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation)\n - [https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib](https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib)\n",
"text": "Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation",
"id": "python.requests.security.disabled-cert-validation.disabled-cert-validation",
"name": "python.requests.security.disabled-cert-validation.disabled-cert-validation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.requests.security.disabled-cert-validation.disabled-cert-validation"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Authentication detected over HTTP. HTTP does not provide any encryption or protection for these authentication credentials. This may expose these credentials to unauthorized parties. Use \u0027https://\u0027 instead."
},
"help": {
"markdown": "Authentication detected over HTTP. HTTP does not provide any encryption or protection for these authentication credentials. This may expose these credentials to unauthorized parties. Use \u0027https://\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.requests.security.no-auth-over-http.no-auth-over-http)\n - [https://semgrep.dev/blog/2020/bento-check-no-auth-over-http/](https://semgrep.dev/blog/2020/bento-check-no-auth-over-http/)\n - [https://bento.dev/checks/requests/no-auth-over-http/](https://bento.dev/checks/requests/no-auth-over-http/)\n",
"text": "Authentication detected over HTTP. HTTP does not provide any encryption or protection for these authentication credentials. This may expose these credentials to unauthorized parties. Use \u0027https://\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.requests.security.no-auth-over-http.no-auth-over-http",
"id": "python.requests.security.no-auth-over-http.no-auth-over-http",
"name": "python.requests.security.no-auth-over-http.no-auth-over-http",
"properties": {
"precision": "very-high",
"tags": [
"CWE-523: Unprotected Transport of Credentials",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.requests.security.no-auth-over-http.no-auth-over-http"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected string concatenation or formatting in a call to a command via \u0027sh\u0027. This could be a command injection vulnerability if the data is user-controlled. Instead, use a list and append the argument."
},
"help": {
"markdown": "Detected string concatenation or formatting in a call to a command via \u0027sh\u0027. This could be a command injection vulnerability if the data is user-controlled. Instead, use a list and append the argument.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.sh.security.string-concat.string-concat)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected string concatenation or formatting in a call to a command via \u0027sh\u0027. This could be a command injection vulnerability if the data is user-controlled. Instead, use a list and append the argument.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.sh.security.string-concat.string-concat",
"id": "python.sh.security.string-concat.string-concat",
"name": "python.sh.security.string-concat.string-concat",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.sh.security.string-concat.string-concat"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Rather than adding one element at a time, consider batch loading to improve performance."
},
"help": {
"markdown": "Rather than adding one element at a time, consider batch loading to improve performance.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.batch-import)\n",
"text": "Rather than adding one element at a time, consider batch loading to improve performance.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.batch-import",
"id": "python.sqlalchemy.performance.performance-improvements.batch-import",
"name": "python.sqlalchemy.performance.performance-improvements.batch-import",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.sqlalchemy.performance.performance-improvements.batch-import"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side."
},
"help": {
"markdown": "Using QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.len-all-count)\n",
"text": "Using QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.len-all-count",
"id": "python.sqlalchemy.performance.performance-improvements.len-all-count",
"name": "python.sqlalchemy.performance.performance-improvements.len-all-count",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: python.sqlalchemy.performance.performance-improvements.len-all-count"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "sqlalchemy.text passes the constructed SQL statement to the database mostly unchanged. This means that the usual SQL injection protections are not applied and this function is vulnerable to SQL injection if user input can reach here. Use normal SQLAlchemy operators (such as `or_()`, `and_()`, etc.) to construct SQL."
},
"help": {
"markdown": "sqlalchemy.text passes the constructed SQL statement to the database mostly unchanged. This means that the usual SQL injection protections are not applied and this function is vulnerable to SQL injection if user input can reach here. Use normal SQLAlchemy operators (such as `or_()`, `and_()`, etc.) to construct SQL.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n",
"text": "sqlalchemy.text passes the constructed SQL statement to the database mostly unchanged. This means that the usual SQL injection protections are not applied and this function is vulnerable to SQL injection if user input can reach here. Use normal SQLAlchemy operators (such as `or_()`, `and_()`, etc.) to construct SQL.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text",
"id": "python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text",
"name": "python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option."
},
"help": {
"markdown": "Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\n",
"text": "Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query",
"id": "python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query",
"name": "python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements."
},
"help": {
"markdown": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection",
"id": "python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection",
"name": "python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using non-constant TwiML (Twilio Markup Language) argument when creating a Twilio conversation could allow the injection of additional TwiML commands"
},
"help": {
"markdown": "Using non-constant TwiML (Twilio Markup Language) argument when creating a Twilio conversation could allow the injection of additional TwiML commands\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/python.twilio.security.twiml-injection.twiml-injection)\n - [https://codeberg.org/fennix/funjection](https://codeberg.org/fennix/funjection)\n",
"text": "Using non-constant TwiML (Twilio Markup Language) argument when creating a Twilio conversation could allow the injection of additional TwiML commands\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/python.twilio.security.twiml-injection.twiml-injection",
"id": "python.twilio.security.twiml-injection.twiml-injection",
"name": "python.twilio.security.twiml-injection.twiml-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-91: XML Injection",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: python.twilio.security.twiml-injection.twiml-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql [\"SELECT title FROM posts WHERE author = ? AND created \u003e ?\", author_id, start_date]`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql [\"SELECT title FROM posts WHERE author = ? AND created \u003e ?\", author_id, start_date]`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli)\n - [https://guides.rubyonrails.org/active_record_querying.html#finding-by-sql](https://guides.rubyonrails.org/active_record_querying.html#finding-by-sql)\n",
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql [\"SELECT title FROM posts WHERE author = ? AND created \u003e ?\", author_id, start_date]`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli",
"id": "ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli",
"name": "ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli)\n - [https://github.com/brianmario/mysql2](https://github.com/brianmario/mysql2)\n",
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli",
"id": "ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli",
"name": "ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params(\u0027SELECT $1 AS a, $2 AS b, $3 AS c\u0027, [1, 2, nil])`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params(\u0027SELECT $1 AS a, $2 AS b, $3 AS c\u0027, [1, 2, nil])`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.pg-sqli.pg-sqli)\n - [https://www.rubydoc.info/gems/pg/PG/Connection](https://www.rubydoc.info/gems/pg/PG/Connection)\n",
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params(\u0027SELECT $1 AS a, $2 AS b, $3 AS c\u0027, [1, 2, nil])`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.pg-sqli.pg-sqli",
"id": "ruby.aws-lambda.security.pg-sqli.pg-sqli",
"name": "ruby.aws-lambda.security.pg-sqli.pg-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.aws-lambda.security.pg-sqli.pg-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB[\u0027select * from items where name = ?\u0027, name]`"
},
"help": {
"markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB[\u0027select * from items where name = ?\u0027, name]`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli)\n - [https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries](https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries)\n",
"text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB[\u0027select * from items where name = ?\u0027, name]`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli",
"id": "ruby.aws-lambda.security.sequel-sqli.sequel-sqli",
"name": "ruby.aws-lambda.security.sequel-sqli.sequel-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.aws-lambda.security.sequel-sqli.sequel-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning \u0027primitive\u0027 types such as strings, arrays, hashes, numbers and nil."
},
"help": {
"markdown": "Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning \u0027primitive\u0027 types such as strings, arrays, hashes, numbers and nil.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization)\n - [https://ruby-doc.org/core-3.1.2/doc/security_rdoc.html](https://ruby-doc.org/core-3.1.2/doc/security_rdoc.html)\n - [https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ](https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb)\n",
"text": "Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning \u0027primitive\u0027 types such as strings, arrays, hashes, numbers and nil.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization",
"id": "ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization",
"name": "ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."
},
"help": {
"markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet](https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet)\n",
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"id": "ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"name": "ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims."
},
"help": {
"markdown": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
"text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify",
"id": "ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify",
"name": "ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify",
"properties": {
"precision": "very-high",
"tags": [
"CWE-345: Insufficient Verification of Data Authenticity",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload."
},
"help": {
"markdown": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data",
"id": "ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data",
"name": "ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."
},
"help": {
"markdown": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n",
"text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials",
"id": "ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials",
"name": "ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"
},
"help": {
"markdown": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret",
"id": "ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret",
"name": "ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027."
},
"help": {
"markdown": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg",
"id": "ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg",
"name": "ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security."
},
"help": {
"markdown": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.audit.sha224-hash.sha224-hash)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\n",
"text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.audit.sha224-hash.sha224-hash",
"id": "ruby.lang.security.audit.sha224-hash.sha224-hash",
"name": "ruby.lang.security.audit.sha224-hash.sha224-hash",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.audit.sha224-hash.sha224-hash"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Checks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with MARSHAL or CSV can potentially be dangerous. Use JSON in a secure fashion instead."
},
"help": {
"markdown": "Checks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with MARSHAL or CSV can potentially be dangerous. Use JSON in a secure fashion instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.bad-deserialization.bad-deserialization)\n - [https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ](https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb)\n",
"text": "Checks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with MARSHAL or CSV can potentially be dangerous. Use JSON in a secure fashion instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.bad-deserialization.bad-deserialization",
"id": "ruby.lang.security.bad-deserialization.bad-deserialization",
"name": "ruby.lang.security.bad-deserialization.bad-deserialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"OWASP-A08:2017 - Insecure Deserialization",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.bad-deserialization.bad-deserialization"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice."
},
"help": {
"markdown": "Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb)\n - [https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/](https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/)\n",
"text": "Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization",
"id": "ruby.lang.security.cookie-serialization.cookie-serialization",
"name": "ruby.lang.security.cookie-serialization.cookie-serialization",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.cookie-serialization.cookie-serialization"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Checks for strong parameter bypass through usage of create_with. Create_with bypasses strong parameter protection, which could allow attackers to set arbitrary attributes on models. To fix this vulnerability, either remove all create_with calls or use the permit function to specify tags that are allowed to be set."
},
"help": {
"markdown": "Checks for strong parameter bypass through usage of create_with. Create_with bypasses strong parameter protection, which could allow attackers to set arbitrary attributes on models. To fix this vulnerability, either remove all create_with calls or use the permit function to specify tags that are allowed to be set.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.create-with.create-with)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_create_with.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_create_with.rb)\n - [https://groups.google.com/g/rubyonrails-security/c/M4chq5Sb540/m/CC1Fh0Y_NWwJ](https://groups.google.com/g/rubyonrails-security/c/M4chq5Sb540/m/CC1Fh0Y_NWwJ)\n",
"text": "Checks for strong parameter bypass through usage of create_with. Create_with bypasses strong parameter protection, which could allow attackers to set arbitrary attributes on models. To fix this vulnerability, either remove all create_with calls or use the permit function to specify tags that are allowed to be set.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.create-with.create-with",
"id": "ruby.lang.security.create-with.create-with",
"name": "ruby.lang.security.create-with.create-with",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.create-with.create-with"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected non-static command inside $EXEC. Audit the input to \u0027$EXEC\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
},
"help": {
"markdown": "Detected non-static command inside $EXEC. Audit the input to \u0027$EXEC\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec)\n - [https://guides.rubyonrails.org/security.html#command-line-injection](https://guides.rubyonrails.org/security.html#command-line-injection)\n",
"text": "Detected non-static command inside $EXEC. Audit the input to \u0027$EXEC\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec",
"id": "ruby.lang.security.dangerous-exec.dangerous-exec",
"name": "ruby.lang.security.dangerous-exec.dangerous-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.dangerous-exec.dangerous-exec"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected non-static command inside \u0027open\u0027. Audit the input to \u0027open\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
},
"help": {
"markdown": "Detected non-static command inside \u0027open\u0027. Audit the input to \u0027open\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected non-static command inside \u0027open\u0027. Audit the input to \u0027open\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open",
"id": "ruby.lang.security.dangerous-open.dangerous-open",
"name": "ruby.lang.security.dangerous-open.dangerous-open",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.dangerous-open.dangerous-open"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected non-static command inside $PIPE. Audit the input to \u0027$PIPE\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
},
"help": {
"markdown": "Detected non-static command inside $PIPE. Audit the input to \u0027$PIPE\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected non-static command inside $PIPE. Audit the input to \u0027$PIPE\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline",
"id": "ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline",
"name": "ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
},
"help": {
"markdown": "Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell",
"id": "ruby.lang.security.dangerous-subshell.dangerous-subshell",
"name": "ruby.lang.security.dangerous-subshell.dangerous-subshell",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.dangerous-subshell.dangerous-subshell"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027syscall\u0027 is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming."
},
"help": {
"markdown": "\u0027syscall\u0027 is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "\u0027syscall\u0027 is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall",
"id": "ruby.lang.security.dangerous-syscall.dangerous-syscall",
"name": "ruby.lang.security.dangerous-syscall.dangerous-syscall",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.dangerous-syscall.dangerous-syscall"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a possible ZeroDivisionError."
},
"help": {
"markdown": "Detected a possible ZeroDivisionError.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.divide-by-zero.divide-by-zero)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_divide_by_zero.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_divide_by_zero.rb)\n",
"text": "Detected a possible ZeroDivisionError.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.divide-by-zero.divide-by-zero",
"id": "ruby.lang.security.divide-by-zero.divide-by-zero",
"name": "ruby.lang.security.divide-by-zero.divide-by-zero",
"properties": {
"precision": "very-high",
"tags": [
"CWE-369: Divide By Zero",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.divide-by-zero.divide-by-zero"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Special requests can determine whether a file exists on a filesystem that\u0027s outside the Rails app\u0027s root directory. To fix this, set config.serve_static_assets = false."
},
"help": {
"markdown": "Special requests can determine whether a file exists on a filesystem that\u0027s outside the Rails app\u0027s root directory. To fix this, set config.serve_static_assets = false.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.file-disclosure.file-disclosure)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_file_disclosure.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_file_disclosure.rb)\n - [https://groups.google.com/g/rubyonrails-security/c/23fiuwb1NBA/m/MQVM1-5GkPMJ](https://groups.google.com/g/rubyonrails-security/c/23fiuwb1NBA/m/MQVM1-5GkPMJ)\n",
"text": "Special requests can determine whether a file exists on a filesystem that\u0027s outside the Rails app\u0027s root directory. To fix this, set config.serve_static_assets = false.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.file-disclosure.file-disclosure",
"id": "ruby.lang.security.file-disclosure.file-disclosure",
"name": "ruby.lang.security.file-disclosure.file-disclosure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.file-disclosure.file-disclosure"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true."
},
"help": {
"markdown": "Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.force-ssl-false.force-ssl-false)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb)\n",
"text": "Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.force-ssl-false.force-ssl-false",
"id": "ruby.lang.security.force-ssl-false.force-ssl-false",
"name": "ruby.lang.security.force-ssl-false.force-ssl-false",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"HIGH CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.force-ssl-false.force-ssl-false"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files."
},
"help": {
"markdown": "Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller",
"id": "ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller",
"name": "ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file."
},
"help": {
"markdown": "Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n",
"text": "Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase",
"id": "ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase",
"name": "ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher."
},
"help": {
"markdown": "The RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n",
"text": "The RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
"id": "ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
"name": "ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks if HTML escaping is globally disabled for JSON output. This could lead to XSS."
},
"help": {
"markdown": "Checks if HTML escaping is globally disabled for JSON output. This could lead to XSS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.json-entity-escape.json-entity-escape)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Checks if HTML escaping is globally disabled for JSON output. This could lead to XSS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.json-entity-escape.json-entity-escape",
"id": "ruby.lang.security.json-entity-escape.json-entity-escape",
"name": "ruby.lang.security.json-entity-escape.json-entity-escape",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.json-entity-escape.json-entity-escape"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Mass assignment protection disabled for \u0027$MODEL\u0027. This could permit assignment to sensitive model fields without intention. Instead, use \u0027attr_accessible\u0027 for the model or disable mass assigment using \u0027config.active_record.whitelist_attributes = true\u0027. \u0027:without_protection =\u003e true\u0027 must be removed for this to take effect."
},
"help": {
"markdown": "Mass assignment protection disabled for \u0027$MODEL\u0027. This could permit assignment to sensitive model fields without intention. Instead, use \u0027attr_accessible\u0027 for the model or disable mass assigment using \u0027config.active_record.whitelist_attributes = true\u0027. \u0027:without_protection =\u003e true\u0027 must be removed for this to take effect.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
"text": "Mass assignment protection disabled for \u0027$MODEL\u0027. This could permit assignment to sensitive model fields without intention. Instead, use \u0027attr_accessible\u0027 for the model or disable mass assigment using \u0027config.active_record.whitelist_attributes = true\u0027. \u0027:without_protection =\u003e true\u0027 must be removed for this to take effect.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled",
"id": "ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled",
"name": "ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem."
},
"help": {
"markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n",
"text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.md5-used-as-password.md5-used-as-password",
"id": "ruby.lang.security.md5-used-as-password.md5-used-as-password",
"name": "ruby.lang.security.md5-used-as-password.md5-used-as-password",
"properties": {
"precision": "very-high",
"tags": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.md5-used-as-password.md5-used-as-password"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected controller which does not enable cross-site request forgery protections using \u0027protect_from_forgery\u0027. Add \u0027protect_from_forgery :with =\u003e :exception\u0027 to your controller class."
},
"help": {
"markdown": "Detected controller which does not enable cross-site request forgery protections using \u0027protect_from_forgery\u0027. Add \u0027protect_from_forgery :with =\u003e :exception\u0027 to your controller class.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.missing-csrf-protection.missing-csrf-protection)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Detected controller which does not enable cross-site request forgery protections using \u0027protect_from_forgery\u0027. Add \u0027protect_from_forgery :with =\u003e :exception\u0027 to your controller class.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.missing-csrf-protection.missing-csrf-protection",
"id": "ruby.lang.security.missing-csrf-protection.missing-csrf-protection",
"name": "ruby.lang.security.missing-csrf-protection.missing-csrf-protection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.missing-csrf-protection.missing-csrf-protection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Checks for dangerous permitted attributes that can lead to mass assignment vulnerabilities. Query parameters allowed using permit and attr_accessible are checked for allowance of dangerous attributes admin, banned, role, and account_id. Also checks for usages of params.permit!, which allows everything. Fix: don\u0027t allow admin, banned, role, and account_id using permit or attr_accessible."
},
"help": {
"markdown": "Checks for dangerous permitted attributes that can lead to mass assignment vulnerabilities. Query parameters allowed using permit and attr_accessible are checked for allowance of dangerous attributes admin, banned, role, and account_id. Also checks for usages of params.permit!, which allows everything. Fix: don\u0027t allow admin, banned, role, and account_id using permit or attr_accessible.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.model-attr-accessible.model-attr-accessible)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attr_accessible.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attr_accessible.rb)\n",
"text": "Checks for dangerous permitted attributes that can lead to mass assignment vulnerabilities. Query parameters allowed using permit and attr_accessible are checked for allowance of dangerous attributes admin, banned, role, and account_id. Also checks for usages of params.permit!, which allows everything. Fix: don\u0027t allow admin, banned, role, and account_id using permit or attr_accessible.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.model-attr-accessible.model-attr-accessible",
"id": "ruby.lang.security.model-attr-accessible.model-attr-accessible",
"name": "ruby.lang.security.model-attr-accessible.model-attr-accessible",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.model-attr-accessible.model-attr-accessible"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Checks for models that do not use attr_accessible. This means there is no limiting of which variables can be manipulated through mass assignment. For newer Rails applications, parameters should be allowlisted using strong parameters. For older Rails versions, they should be allowlisted using strong_attributes."
},
"help": {
"markdown": "Checks for models that do not use attr_accessible. This means there is no limiting of which variables can be manipulated through mass assignment. For newer Rails applications, parameters should be allowlisted using strong parameters. For older Rails versions, they should be allowlisted using strong_attributes.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attributes.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attributes.rb)\n",
"text": "Checks for models that do not use attr_accessible. This means there is no limiting of which variables can be manipulated through mass assignment. For newer Rails applications, parameters should be allowlisted using strong parameters. For older Rails versions, they should be allowlisted using strong_attributes.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible",
"id": "ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible",
"name": "ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Use of eval with user-controllable input detected. This can lead to attackers running arbitrary code. Ensure external data does not reach here, otherwise this is a security vulnerability. Consider other ways to do this without eval."
},
"help": {
"markdown": "Use of eval with user-controllable input detected. This can lead to attackers running arbitrary code. Ensure external data does not reach here, otherwise this is a security vulnerability. Consider other ways to do this without eval.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.no-eval.ruby-eval)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Use of eval with user-controllable input detected. This can lead to attackers running arbitrary code. Ensure external data does not reach here, otherwise this is a security vulnerability. Consider other ways to do this without eval.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.no-eval.ruby-eval",
"id": "ruby.lang.security.no-eval.ruby-eval",
"name": "ruby.lang.security.no-eval.ruby-eval",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.no-eval.ruby-eval"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this."
},
"help": {
"markdown": "Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.no-send.bad-send)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb)\n - [https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html](https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html)\n",
"text": "Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.no-send.bad-send",
"id": "ruby.lang.security.no-send.bad-send",
"name": "ruby.lang.security.no-send.bad-send",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.no-send.bad-send"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks. Use \u0027OpenSSL::SSL::VERIFY_PEER\u0027 instead."
},
"help": {
"markdown": "Detected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks. Use \u0027OpenSSL::SSL::VERIFY_PEER\u0027 instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
"text": "Detected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks. Use \u0027OpenSSL::SSL::VERIFY_PEER\u0027 instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify",
"id": "ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify",
"name": "ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don\u0027t use :without_protection =\u003e true. Instead, configure attr_accessible to control attribute access."
},
"help": {
"markdown": "Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don\u0027t use :without_protection =\u003e true. Instead, configure attr_accessible to control attribute access.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb)\n - [https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/](https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/)\n",
"text": "Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don\u0027t use :without_protection =\u003e true. Instead, configure attr_accessible to control attribute access.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln",
"id": "ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln",
"name": "ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln",
"properties": {
"precision": "very-high",
"tags": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"LOW CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Should not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions, leading to potential collision attacks. Use SHA256 or other hashing functions instead."
},
"help": {
"markdown": "Should not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions, leading to potential collision attacks. Use SHA256 or other hashing functions instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.weak-hashes-md5.weak-hashes-md5)\n - [https://www.ibm.com/support/pages/security-bulletin-vulnerability-md5-signature-and-hash-algorithm-affects-sterling-integrator-and-sterling-file-gateway-cve-2015-7575](https://www.ibm.com/support/pages/security-bulletin-vulnerability-md5-signature-and-hash-algorithm-affects-sterling-integrator-and-sterling-file-gateway-cve-2015-7575)\n",
"text": "Should not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions, leading to potential collision attacks. Use SHA256 or other hashing functions instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.weak-hashes-md5.weak-hashes-md5",
"id": "ruby.lang.security.weak-hashes-md5.weak-hashes-md5",
"name": "ruby.lang.security.weak-hashes-md5.weak-hashes-md5",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.weak-hashes-md5.weak-hashes-md5"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead."
},
"help": {
"markdown": "Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1)\n - [https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html](https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html)\n - [https://shattered.io/](https://shattered.io/)\n",
"text": "Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1",
"id": "ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1",
"name": "ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1",
"properties": {
"precision": "very-high",
"tags": [
"CWE-328: Use of Weak Hash",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This gets data from session using user inputs. A malicious user may be able to retrieve information from your session that you didn\u0027t intend them to. Do not use user input as a session key."
},
"help": {
"markdown": "## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation)\n - [https://brakemanscanner.org/docs/warning_types/session_manipulation/](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n",
"text": "## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation",
"id": "ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation",
"name": "ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-276: Incorrect Default Permissions",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Allowing an attacker to manipulate the session may lead to unintended behavior."
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to."
},
"help": {
"markdown": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown)\n",
"text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access",
"id": "ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access",
"name": "ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to."
},
"help": {
"markdown": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown)\n",
"text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call",
"id": "ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call",
"name": "ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to."
},
"help": {
"markdown": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown)\n",
"text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request",
"id": "ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request",
"name": "ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to."
},
"help": {
"markdown": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown)\n",
"text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call",
"id": "ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call",
"name": "ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off."
},
"help": {
"markdown": "Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions",
"id": "ruby.rails.security.audit.detailed-exceptions.detailed-exceptions",
"name": "ruby.rails.security.audit.detailed-exceptions.detailed-exceptions",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.detailed-exceptions.detailed-exceptions"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This call turns off CSRF protection allowing CSRF attacks against the application"
},
"help": {
"markdown": "This call turns off CSRF protection allowing CSRF attacks against the application\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection)\n - [https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#method-i-skip_forgery_protection](https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#method-i-skip_forgery_protection)\n",
"text": "This call turns off CSRF protection allowing CSRF attacks against the application\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection",
"id": "ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection",
"name": "ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-352: Cross-Site Request Forgery (CSRF)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params(\u0027SELECT $1 AS a, $2 AS b, $3 AS c\u0027, [1, 2, nil])` And you can use prepared statements with `exec_prepared`."
},
"help": {
"markdown": "Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params(\u0027SELECT $1 AS a, $2 AS b, $3 AS c\u0027, [1, 2, nil])` And you can use prepared statements with `exec_prepared`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli)\n - [https://www.rubydoc.info/gems/pg/PG/Connection](https://www.rubydoc.info/gems/pg/PG/Connection)\n",
"text": "Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params(\u0027SELECT $1 AS a, $2 AS b, $3 AS c\u0027, [1, 2, nil])` And you can use prepared statements with `exec_prepared`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli",
"id": "ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli",
"name": "ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027content_tag()\u0027 bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use \u0027html_safe\u0027. Ensure no external data enters the HTML-safe string!"
},
"help": {
"markdown": "\u0027content_tag()\u0027 bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use \u0027html_safe\u0027. Ensure no external data enters the HTML-safe string!\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n",
"text": "\u0027content_tag()\u0027 bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use \u0027html_safe\u0027. Ensure no external data enters the HTML-safe string!\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag",
"id": "ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag",
"name": "ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn\u0027t mean to. Instead, remove this line and explicitly include all routes you intend external users to follow."
},
"help": {
"markdown": "Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn\u0027t mean to. Instead, remove this line and explicitly include all routes you intend external users to follow.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown)\n",
"text": "Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn\u0027t mean to. Instead, remove this line and explicitly include all routes you intend external users to follow.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes",
"id": "ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes",
"name": "ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes",
"properties": {
"precision": "very-high",
"tags": [
"CWE-276: Incorrect Default Permissions",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027html_safe()\u0027 does not make the supplied string safe. \u0027html_safe()\u0027 bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here."
},
"help": {
"markdown": "\u0027html_safe()\u0027 does not make the supplied string safe. \u0027html_safe()\u0027 bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n",
"text": "\u0027html_safe()\u0027 does not make the supplied string safe. \u0027html_safe()\u0027 bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe",
"id": "ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe",
"name": "ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument."
},
"help": {
"markdown": "This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to)\n - [https://brakemanscanner.org/docs/warning_types/link_to/](https://brakemanscanner.org/docs/warning_types/link_to/)\n - [https://brakemanscanner.org/docs/warning_types/link_to_href/](https://brakemanscanner.org/docs/warning_types/link_to_href/)\n",
"text": "This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to",
"id": "ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to",
"name": "ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027raw()\u0027 bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. If you must do this, construct individual strings and mark them as safe for HTML rendering with `html_safe()`."
},
"help": {
"markdown": "\u0027raw()\u0027 bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. If you must do this, construct individual strings and mark them as safe for HTML rendering with `html_safe()`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-raw.avoid-raw)\n - [https://api.rubyonrails.org/classes/ActionView/Helpers/OutputSafetyHelper.html#method-i-raw](https://api.rubyonrails.org/classes/ActionView/Helpers/OutputSafetyHelper.html#method-i-raw)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n",
"text": "\u0027raw()\u0027 bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. If you must do this, construct individual strings and mark them as safe for HTML rendering with `html_safe()`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-raw.avoid-raw",
"id": "ruby.rails.security.audit.xss.avoid-raw.avoid-raw",
"name": "ruby.rails.security.audit.xss.avoid-raw.avoid-raw",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-raw.avoid-raw"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "When a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect."
},
"help": {
"markdown": "When a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect)\n - [https://brakemanscanner.org/docs/warning_types/redirect/](https://brakemanscanner.org/docs/warning_types/redirect/)\n",
"text": "When a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect",
"id": "ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect",
"name": "ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn\u0027t. To prevent this, check dynamic template paths against a predefined allowlist to make sure it\u0027s an allowed template."
},
"help": {
"markdown": "Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn\u0027t. To prevent this, check dynamic template paths against a predefined allowlist to make sure it\u0027s an allowed template.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path)\n - [https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/](https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/)\n",
"text": "Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn\u0027t. To prevent this, check dynamic template paths against a predefined allowlist to make sure it\u0027s an allowed template.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path",
"id": "ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path",
"name": "ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027render inline: ...\u0027 renders an entire ERB template inline and is dangerous. If external data can reach here, this exposes your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks. Instead, consider using a partial or another safe rendering method."
},
"help": {
"markdown": "\u0027render inline: ...\u0027 renders an entire ERB template inline and is dangerous. If external data can reach here, this exposes your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks. Instead, consider using a partial or another safe rendering method.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline)\n - [https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss](https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss)\n",
"text": "\u0027render inline: ...\u0027 renders an entire ERB template inline and is dangerous. If external data can reach here, this exposes your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks. Instead, consider using a partial or another safe rendering method.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline",
"id": "ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline",
"name": "ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027render text: ...\u0027 actually sets the content-type to \u0027text/html\u0027. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use \u0027render plain: ...\u0027 to render non-HTML text."
},
"help": {
"markdown": "\u0027render text: ...\u0027 actually sets the content-type to \u0027text/html\u0027. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use \u0027render plain: ...\u0027 to render non-HTML text.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text)\n - [https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss](https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss)\n",
"text": "\u0027render text: ...\u0027 actually sets the content-type to \u0027text/html\u0027. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use \u0027render plain: ...\u0027 to render non-HTML text.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text",
"id": "ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text",
"name": "ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template. Instead, create a \u0027.erb\u0027 template file and use \u0027render\u0027."
},
"help": {
"markdown": "Detected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template. Instead, create a \u0027.erb\u0027 template file and use \u0027render\u0027.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown)\n",
"text": "Detected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template. Instead, create a \u0027.erb\u0027 template file and use \u0027render\u0027.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation",
"id": "ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation",
"name": "ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The syntax `\u003c%== ... %\u003e` is an alias for `html_safe`. This means the content inside these tags will be rendered as raw HTML. This may expose your application to cross-site scripting. If you need raw HTML, prefer using the more explicit `html_safe` and be sure to correctly sanitize variables using a library such as DOMPurify."
},
"help": {
"markdown": "The syntax `\u003c%== ... %\u003e` is an alias for `html_safe`. This means the content inside these tags will be rendered as raw HTML. This may expose your application to cross-site scripting. If you need raw HTML, prefer using the more explicit `html_safe` and be sure to correctly sanitize variables using a library such as DOMPurify.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe)\n - [https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027](https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027)\n - [https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===](https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===)\n",
"text": "The syntax `\u003c%== ... %\u003e` is an alias for `html_safe`. This means the content inside these tags will be rendered as raw HTML. This may expose your application to cross-site scripting. If you need raw HTML, prefer using the more explicit `html_safe` and be sure to correctly sanitize variables using a library such as DOMPurify.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe",
"id": "ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe",
"name": "ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027content_tag\u0027 exhibits unintuitive escaping behavior and may accidentally expose your application to cross-site scripting. If using Rails 2, only attribute values are escaped. If using Rails 3, content and attribute values are escaped. Tag and attribute names are never escaped. Because of this, it is recommended to use \u0027html_safe\u0027 if you must render raw HTML data."
},
"help": {
"markdown": "\u0027content_tag\u0027 exhibits unintuitive escaping behavior and may accidentally expose your application to cross-site scripting. If using Rails 2, only attribute values are escaped. If using Rails 3, content and attribute values are escaped. Tag and attribute names are never escaped. Because of this, it is recommended to use \u0027html_safe\u0027 if you must render raw HTML data.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag)\n - [https://brakemanscanner.org/docs/warning_types/content_tag/](https://brakemanscanner.org/docs/warning_types/content_tag/)\n",
"text": "\u0027content_tag\u0027 exhibits unintuitive escaping behavior and may accidentally expose your application to cross-site scripting. If using Rails 2, only attribute values are escaped. If using Rails 3, content and attribute values are escaped. Tag and attribute names are never escaped. Because of this, it is recommended to use \u0027html_safe\u0027 if you must render raw HTML data.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag",
"id": "ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag",
"name": "ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027html_safe\u0027 renders raw HTML. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify."
},
"help": {
"markdown": "\u0027html_safe\u0027 renders raw HTML. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe)\n - [https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===](https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===)\n - [https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027](https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027)\n",
"text": "\u0027html_safe\u0027 renders raw HTML. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe",
"id": "ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe",
"name": "ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "\u0027raw\u0027 renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify."
},
"help": {
"markdown": "\u0027raw\u0027 renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw)\n - [https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===](https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===)\n - [https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027](https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027)\n",
"text": "\u0027raw\u0027 renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw",
"id": "ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw",
"name": "ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"\u003c%= expr %\u003e\"."
},
"help": {
"markdown": "Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"\u003c%= expr %\u003e\".\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute)\n - [https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#unquoted-attributes](https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#unquoted-attributes)\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss)\n",
"text": "Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"\u003c%= expr %\u003e\".\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute",
"id": "ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute",
"name": "ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href=\u0027/\u003c%= link =\u003e\u0027. You may also consider setting the Content Security Policy (CSP) header."
},
"help": {
"markdown": "Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href=\u0027/\u003c%= link =\u003e\u0027. You may also consider setting the Content Security Policy (CSP) header.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href)\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI)\n - [https://github.com/pugjs/pug/issues/2952](https://github.com/pugjs/pug/issues/2952)\n",
"text": "Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href=\u0027/\u003c%= link =\u003e\u0027. You may also consider setting the Content Security Policy (CSP) header.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href",
"id": "ruby.rails.security.audit.xss.templates.var-in-href.var-in-href",
"name": "ruby.rails.security.audit.xss.templates.var-in-href.var-in-href",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-href.var-in-href"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag)."
},
"help": {
"markdown": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n - [https://www.youtube.com/watch?v=yYTkLUEdIyE](https://www.youtube.com/watch?v=yYTkLUEdIyE)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n",
"text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag",
"id": "ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag",
"name": "ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path =\u003e true` hash value."
},
"help": {
"markdown": "Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path =\u003e true` hash value.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n",
"text": "Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path =\u003e true` hash value.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to",
"id": "ruby.rails.security.brakeman.check-redirect-to.check-redirect-to",
"name": "ruby.rails.security.brakeman.check-redirect-to.check-redirect-to",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.brakeman.check-redirect-to.check-redirect-to"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking."
},
"help": {
"markdown": "Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n",
"text": "Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos",
"id": "ruby.rails.security.brakeman.check-regex-dos.check-regex-dos",
"name": "ruby.rails.security.brakeman.check-regex-dos.check-regex-dos",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1333: Inefficient Regular Expression Complexity",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.brakeman.check-regex-dos.check-regex-dos"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found request parameters in a call to `render`. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for `render`. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with `File.basename(...)`."
},
"help": {
"markdown": "Found request parameters in a call to `render`. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for `render`. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with `File.basename(...)`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include)\n - [https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion)\n - [https://github.com/presidentbeef/brakeman/blob/f74cb53/test/apps/rails2/app/controllers/home_controller.rb#L48-L60](https://github.com/presidentbeef/brakeman/blob/f74cb53/test/apps/rails2/app/controllers/home_controller.rb#L48-L60)\n",
"text": "Found request parameters in a call to `render`. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for `render`. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with `File.basename(...)`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include",
"id": "ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include",
"name": "ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`"
},
"help": {
"markdown": "Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n",
"text": "Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file",
"id": "ruby.rails.security.brakeman.check-send-file.check-send-file",
"name": "ruby.rails.security.brakeman.check-send-file.check-send-file",
"properties": {
"precision": "very-high",
"tags": [
"CWE-73: External Control of File Name or Path",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.brakeman.check-send-file.check-send-file"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries."
},
"help": {
"markdown": "Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-sql.check-sql)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/models/product.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/models/product.rb)\n",
"text": "Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-sql.check-sql",
"id": "ruby.rails.security.brakeman.check-sql.check-sql",
"name": "ruby.rails.security.brakeman.check-sql.check-sql",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.brakeman.check-sql.check-sql"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`"
},
"help": {
"markdown": "Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb)\n",
"text": "Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods",
"id": "ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods",
"name": "ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input."
},
"help": {
"markdown": "Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails2/app/controllers/application_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails2/app/controllers/application_controller.rb)\n",
"text": "Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection",
"id": "ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection",
"name": "ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found an unscoped `find(...)` with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. `current_user.accounts.find(params[:id])`."
},
"help": {
"markdown": "Found an unscoped `find(...)` with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. `current_user.accounts.find(params[:id])`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find)\n - [https://brakemanscanner.org/docs/warning_types/unscoped_find/](https://brakemanscanner.org/docs/warning_types/unscoped_find/)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/controllers/users_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/controllers/users_controller.rb)\n",
"text": "Found an unscoped `find(...)` with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. `current_user.accounts.find(params[:id])`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find",
"id": "ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find",
"name": "ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find",
"properties": {
"precision": "very-high",
"tags": [
"CWE-639: Authorization Bypass Through User-Controlled Key",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`."
},
"help": {
"markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.injection.raw-html-format.raw-html-format)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n - [https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html](https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html)\n",
"text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.injection.raw-html-format.raw-html-format",
"id": "ruby.rails.security.injection.raw-html-format.raw-html-format",
"name": "ruby.rails.security.injection.raw-html-format.raw-html-format",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.injection.raw-html-format.raw-html-format"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries."
},
"help": {
"markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet](https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet)\n",
"text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.injection.tainted-sql-string.tainted-sql-string",
"id": "ruby.rails.security.injection.tainted-sql-string.tainted-sql-string",
"name": "ruby.rails.security.injection.tainted-sql-string.tainted-sql-string",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.injection.tainted-sql-string.tainted-sql-string"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts."
},
"help": {
"markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://github.com/arkadiyt/ssrf_filter](https://github.com/arkadiyt/ssrf_filter)\n",
"text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/ruby.rails.security.injection.tainted-url-host.tainted-url-host",
"id": "ruby.rails.security.injection.tainted-url-host.tainted-url-host",
"name": "ruby.rails.security.injection.tainted-url-host.tainted-url-host",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: ruby.rails.security.injection.tainted-url-host.tainted-url-host"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Dangerously accepting invalid TLS information"
},
"help": {
"markdown": "Dangerously accepting invalid TLS information\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid)\n - [https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames](https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames)\n - [https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs](https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs)\n",
"text": "Dangerously accepting invalid TLS information\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid",
"id": "rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid",
"name": "rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Dangerous client config used, ensure SSL verification"
},
"help": {
"markdown": "Dangerous client config used, ensure SSL verification\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous)\n - [https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html](https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html)\n - [https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous](https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous)\n",
"text": "Dangerous client config used, ensure SSL verification\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous",
"id": "rust.lang.security.rustls-dangerous.rustls-dangerous",
"name": "rust.lang.security.rustls-dangerous.rustls-dangerous",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: rust.lang.security.rustls-dangerous.rustls-dangerous"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "SSL verification disabled, this allows for MitM attacks"
},
"help": {
"markdown": "SSL verification disabled, this allows for MitM attacks\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none)\n - [https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify](https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify)\n",
"text": "SSL verification disabled, this allows for MitM attacks\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none",
"id": "rust.lang.security.ssl-verify-none.ssl-verify-none",
"name": "rust.lang.security.ssl-verify-none.ssl-verify-none",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: rust.lang.security.ssl-verify-none.ssl-verify-none"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"
},
"help": {
"markdown": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode)\n - [https://jwt-scala.github.io/jwt-scala/](https://jwt-scala.github.io/jwt-scala/)\n",
"text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode",
"id": "scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode",
"name": "scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"HIGH CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized."
},
"help": {
"markdown": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run",
"id": "scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run",
"name": "scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized."
},
"help": {
"markdown": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run",
"id": "scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run",
"name": "scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."
},
"help": {
"markdown": "A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://dispatchhttp.org/Dispatch.html](https://dispatchhttp.org/Dispatch.html)\n",
"text": "A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf",
"id": "scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf",
"name": "scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."
},
"help": {
"markdown": "Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
"text": "Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled",
"id": "scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled",
"name": "scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Flags the use of a predictable random value from `scala.util.Random`. This can lead to vulnerabilities when used in security contexts, such as in a CSRF token, password reset token, or any other secret value. To fix this, use java.security.SecureRandom instead."
},
"help": {
"markdown": "Flags the use of a predictable random value from `scala.util.Random`. This can lead to vulnerabilities when used in security contexts, such as in a CSRF token, password reset token, or any other secret value. To fix this, use java.security.SecureRandom instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.insecure-random.insecure-random)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Flags the use of a predictable random value from `scala.util.Random`. This can lead to vulnerabilities when used in security contexts, such as in a CSRF token, password reset token, or any other secret value. To fix this, use java.security.SecureRandom instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.insecure-random.insecure-random",
"id": "scala.lang.security.audit.insecure-random.insecure-random",
"name": "scala.lang.security.audit.insecure-random.insecure-random",
"properties": {
"precision": "very-high",
"tags": [
"CWE-330: Use of Insufficiently Random Values",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.insecure-random.insecure-random"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A parameter being passed directly into `fromURL` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."
},
"help": {
"markdown": "A parameter being passed directly into `fromURL` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.io-source-ssrf.io-source-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://www.scala-lang.org/api/current/scala/io/Source$.html#fromURL(url:java.net.URL)(implicitcodec:scala.io.Codec):scala.io.BufferedSource](https://www.scala-lang.org/api/current/scala/io/Source$.html#fromURL(url:java.net.URL)(implicitcodec:scala.io.Codec):scala.io.BufferedSource)\n",
"text": "A parameter being passed directly into `fromURL` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.io-source-ssrf.io-source-ssrf",
"id": "scala.lang.security.audit.io-source-ssrf.io-source-ssrf",
"name": "scala.lang.security.audit.io-source-ssrf.io-source-ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"MEDIUM CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.io-source-ssrf.io-source-ssrf"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Flags cases of possible path traversal. If an unfiltered parameter is passed into \u0027fromFile\u0027, file from an arbitrary filesystem location could be read. This could lead to sensitive data exposure and other provles. Instead, sanitize the user input instead of performing direct string concatenation."
},
"help": {
"markdown": "Flags cases of possible path traversal. If an unfiltered parameter is passed into \u0027fromFile\u0027, file from an arbitrary filesystem location could be read. This could lead to sensitive data exposure and other provles. Instead, sanitize the user input instead of performing direct string concatenation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Flags cases of possible path traversal. If an unfiltered parameter is passed into \u0027fromFile\u0027, file from an arbitrary filesystem location could be read. This could lead to sensitive data exposure and other provles. Instead, sanitize the user input instead of performing direct string concatenation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile",
"id": "scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile",
"name": "scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with `OAEPWithMD5AndMGF1Padding` instead."
},
"help": {
"markdown": "Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with `OAEPWithMD5AndMGF1Padding` instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.rsa-padding-set.rsa-padding-set)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with `OAEPWithMD5AndMGF1Padding` instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.rsa-padding-set.rsa-padding-set",
"id": "scala.lang.security.audit.rsa-padding-set.rsa-padding-set",
"name": "scala.lang.security.audit.rsa-padding-set.rsa-padding-set",
"properties": {
"precision": "very-high",
"tags": [
"CWE-780: Use of RSA Algorithm without OAEP",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.rsa-padding-set.rsa-padding-set"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "XML processor being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."
},
"help": {
"markdown": "XML processor being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
"text": "XML processor being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled",
"id": "scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled",
"name": "scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use `Seq(...)` for dynamically generated commands."
},
"help": {
"markdown": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use `Seq(...)` for dynamically generated commands.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use `Seq(...)` for dynamically generated commands.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run",
"id": "scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run",
"name": "scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Scala applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration."
},
"help": {
"markdown": "Scala applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.scalac-debug.scalac-debug)\n - [https://docs.scala-lang.org/overviews/compiler-options/index.html](https://docs.scala-lang.org/overviews/compiler-options/index.html)\n",
"text": "Scala applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.scalac-debug.scalac-debug",
"id": "scala.lang.security.audit.scalac-debug.scalac-debug",
"name": "scala.lang.security.audit.scalac-debug.scalac-debug",
"properties": {
"precision": "very-high",
"tags": [
"CWE-489: Active Debug Code",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.scalac-debug.scalac-debug"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A parameter being passed directly into `Http` can likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."
},
"help": {
"markdown": "A parameter being passed directly into `Http` can likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://github.com/scalaj/scalaj-http#simplified-http](https://github.com/scalaj/scalaj-http#simplified-http)\n",
"text": "A parameter being passed directly into `Http` can likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf",
"id": "scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf",
"name": "scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."
},
"help": {
"markdown": "XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
"text": "XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled",
"id": "scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled",
"name": "scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"OWASP-A04:2017 - XML External Entities (XXE)",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file."
},
"help": {
"markdown": "Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security)\n - [https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration](https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration)\n",
"text": "Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings",
"id": "scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings",
"name": "scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings",
"properties": {
"precision": "very-high",
"tags": [
"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as Twirl which automatically escapes HTML views."
},
"help": {
"markdown": "Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as Twirl which automatically escapes HTML views.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.tainted-html-response.tainted-html-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as Twirl which automatically escapes HTML views.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.play.security.tainted-html-response.tainted-html-response",
"id": "scala.play.security.tainted-html-response.tainted-html-response",
"name": "scala.play.security.tainted-html-response.tainted-html-response",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.play.security.tainted-html-response.tainted-html-response"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input for generating SQL strings."
},
"help": {
"markdown": "Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input for generating SQL strings.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.tainted-slick-sqli.tainted-slick-sqli)\n - [https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values](https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values)\n - [https://scala-slick.org/doc/3.2.0/sql-to-slick.html#non-optimal-sql-code](https://scala-slick.org/doc/3.2.0/sql-to-slick.html#non-optimal-sql-code)\n",
"text": "Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input for generating SQL strings.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.play.security.tainted-slick-sqli.tainted-slick-sqli",
"id": "scala.play.security.tainted-slick-sqli.tainted-slick-sqli",
"name": "scala.play.security.tainted-slick-sqli.tainted-slick-sqli",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.play.security.tainted-slick-sqli.tainted-slick-sqli"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library."
},
"help": {
"markdown": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request)\n - [https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html](https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html)\n",
"text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request",
"id": "scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request",
"name": "scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host."
},
"help": {
"markdown": "A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.webservice-ssrf.webservice-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://www.playframework.com/documentation/2.8.x/ScalaWS](https://www.playframework.com/documentation/2.8.x/ScalaWS)\n",
"text": "A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.play.security.webservice-ssrf.webservice-ssrf",
"id": "scala.play.security.webservice-ssrf.webservice-ssrf",
"name": "scala.play.security.webservice-ssrf.webservice-ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.play.security.webservice-ssrf.webservice-ssrf"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"
},
"help": {
"markdown": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret",
"id": "scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret",
"name": "scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"HIGH CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using non literal values in `overrideSql(...)`."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using non literal values in `overrideSql(...)`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using non literal values in `overrideSql(...)`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal",
"id": "scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal",
"name": "scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead."
},
"help": {
"markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal)\n - [https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values](https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values)\n",
"text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal",
"id": "scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal",
"name": "scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "$VAULT.getPoolTokens() call on a Balancer pool is not protected from the read-only reentrancy."
},
"help": {
"markdown": "$VAULT.getPoolTokens() call on a Balancer pool is not protected from the read-only reentrancy.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens)\n - [https://quillaudits.medium.com/decoding-sentiment-protocols-1-million-exploit-quillaudits-f36bee77d376](https://quillaudits.medium.com/decoding-sentiment-protocols-1-million-exploit-quillaudits-f36bee77d376)\n - [https://hackmd.io/@sentimentxyz/SJCySo1z2](https://hackmd.io/@sentimentxyz/SJCySo1z2)\n",
"text": "$VAULT.getPoolTokens() call on a Balancer pool is not protected from the read-only reentrancy.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens",
"id": "solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens",
"name": "solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens",
"properties": {
"precision": "very-high",
"tags": [
"CWE-841: Improper Enforcement of Behavioral Workflow",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy."
},
"help": {
"markdown": "$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate)\n - [https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345](https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345)\n",
"text": "$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate",
"id": "solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate",
"name": "solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate",
"properties": {
"precision": "very-high",
"tags": [
"CWE-841: Improper Enforcement of Behavioral Workflow",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Function borrowFresh() in Compound performs state update after doTransferOut()"
},
"help": {
"markdown": "Function borrowFresh() in Compound performs state update after doTransferOut()\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy)\n - [https://twitter.com/peckshield/status/1509431646818234369](https://twitter.com/peckshield/status/1509431646818234369)\n - [https://twitter.com/blocksecteam/status/1509466576848064512](https://twitter.com/blocksecteam/status/1509466576848064512)\n - [https://slowmist.medium.com/another-day-another-reentrancy-attack-5cde10bbb2b4](https://slowmist.medium.com/another-day-another-reentrancy-attack-5cde10bbb2b4)\n - [https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611](https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611)\n",
"text": "Function borrowFresh() in Compound performs state update after doTransferOut()\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy",
"id": "solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy",
"name": "solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-841: Improper Enforcement of Behavioral Workflow",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Function sweepToken is allowed to be called by anyone"
},
"help": {
"markdown": "Function sweepToken is allowed to be called by anyone\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted)\n - [https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2](https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2)\n - [https://chainsecurity.com/security-audit/compound-ctoken/](https://chainsecurity.com/security-audit/compound-ctoken/)\n - [https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/](https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/)\n - [https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f](https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f)\n",
"text": "Function sweepToken is allowed to be called by anyone\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted",
"id": "solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted",
"name": "solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-284: Improper Access Control",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy."
},
"help": {
"markdown": "$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy)\n - [https://chainsecurity.com/heartbreaks-curve-lp-oracles/](https://chainsecurity.com/heartbreaks-curve-lp-oracles/)\n - [https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/](https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/)\n",
"text": "$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy",
"id": "solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy",
"name": "solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-841: Improper Enforcement of Behavioral Workflow",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "abi.encodePacked hash collision with variable length arguments in $F()"
},
"help": {
"markdown": "abi.encodePacked hash collision with variable length arguments in $F()\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision)\n - [https://swcregistry.io/docs/SWC-133](https://swcregistry.io/docs/SWC-133)\n",
"text": "abi.encodePacked hash collision with variable length arguments in $F()\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision",
"id": "solidity.security.encode-packed-collision.encode-packed-collision",
"name": "solidity.security.encode-packed-collision.encode-packed-collision",
"properties": {
"precision": "very-high",
"tags": [
"CWE-20: Improper Input Validation",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.encode-packed-collision.encode-packed-collision"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "ERC677 callAfterTransfer() reentrancy"
},
"help": {
"markdown": "ERC677 callAfterTransfer() reentrancy\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc677-reentrancy.erc677-reentrancy)\n - [https://twitter.com/peckshield/status/1509431646818234369](https://twitter.com/peckshield/status/1509431646818234369)\n - [https://twitter.com/blocksecteam/status/1509466576848064512](https://twitter.com/blocksecteam/status/1509466576848064512)\n - [https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611](https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611)\n - [https://explorer.fuse.io/address/0x5De15b5543c178C111915d6B8ae929Af01a8cC58](https://explorer.fuse.io/address/0x5De15b5543c178C111915d6B8ae929Af01a8cC58)\n",
"text": "ERC677 callAfterTransfer() reentrancy\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.erc677-reentrancy.erc677-reentrancy",
"id": "solidity.security.erc677-reentrancy.erc677-reentrancy",
"name": "solidity.security.erc677-reentrancy.erc677-reentrancy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-841: Improper Enforcement of Behavioral Workflow",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.erc677-reentrancy.erc677-reentrancy"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Custom ERC721 implementation lacks access control checks in _transfer()"
},
"help": {
"markdown": "Custom ERC721 implementation lacks access control checks in _transfer()\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom)\n - [https://twitter.com/BlockSecAlert/status/1516289618605654024](https://twitter.com/BlockSecAlert/status/1516289618605654024)\n - [https://etherscan.io/address/0xf3821adaceb6500c0a202971aecf840a033f236b](https://etherscan.io/address/0xf3821adaceb6500c0a202971aecf840a033f236b)\n",
"text": "Custom ERC721 implementation lacks access control checks in _transfer()\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom",
"id": "solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom",
"name": "solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom",
"properties": {
"precision": "very-high",
"tags": [
"CWE-284: Improper Access Control",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "ERC721 onERC721Received() reentrancy"
},
"help": {
"markdown": "ERC721 onERC721Received() reentrancy\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy)\n - [https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a](https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a)\n - [https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef](https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef)\n",
"text": "ERC721 onERC721Received() reentrancy\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy",
"id": "solidity.security.erc721-reentrancy.erc721-reentrancy",
"name": "solidity.security.erc721-reentrancy.erc721-reentrancy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-841: Improper Enforcement of Behavioral Workflow",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.erc721-reentrancy.erc721-reentrancy"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "ERC777 tokensReceived() reentrancy"
},
"help": {
"markdown": "ERC777 tokensReceived() reentrancy\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy)\n - [https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0](https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0)\n - [https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f](https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f)\n",
"text": "ERC777 tokensReceived() reentrancy\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy",
"id": "solidity.security.erc777-reentrancy.erc777-reentrancy",
"name": "solidity.security.erc777-reentrancy.erc777-reentrancy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-841: Improper Enforcement of Behavioral Workflow",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.erc777-reentrancy.erc777-reentrancy"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "blockhash(block.number) and blockhash(block.number + N) always returns 0."
},
"help": {
"markdown": "blockhash(block.number) and blockhash(block.number + N) always returns 0.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash)\n - [https://blog.positive.com/predicting-random-numbers-in-ethereum-smart-contracts-e5358c6b8620](https://blog.positive.com/predicting-random-numbers-in-ethereum-smart-contracts-e5358c6b8620)\n",
"text": "blockhash(block.number) and blockhash(block.number + N) always returns 0.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash",
"id": "solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash",
"name": "solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash",
"properties": {
"precision": "very-high",
"tags": [
"CWE-341: Predictable from Observable State",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Keep3rV2.current() call has high data freshness, but it has low security, an exploiter simply needs to manipulate 2 data points to be able to impact the feed."
},
"help": {
"markdown": "Keep3rV2.current() call has high data freshness, but it has low security, an exploiter simply needs to manipulate 2 data points to be able to impact the feed.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation)\n - [https://twitter.com/peckshield/status/1510232640338608131](https://twitter.com/peckshield/status/1510232640338608131)\n - [https://twitter.com/FrankResearcher/status/1510239094777032713](https://twitter.com/FrankResearcher/status/1510239094777032713)\n - [https://twitter.com/larry0x/status/1510263618180464644](https://twitter.com/larry0x/status/1510263618180464644)\n - [https://andrecronje.medium.com/keep3r-network-on-chain-oracle-price-feeds-3c67ed002a9](https://andrecronje.medium.com/keep3r-network-on-chain-oracle-price-feeds-3c67ed002a9)\n - [https://etherscan.io/address/0x210ac53b27f16e20a9aa7d16260f84693390258f](https://etherscan.io/address/0x210ac53b27f16e20a9aa7d16260f84693390258f)\n",
"text": "Keep3rV2.current() call has high data freshness, but it has low security, an exploiter simply needs to manipulate 2 data points to be able to impact the feed.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation",
"id": "solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation",
"name": "solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-682: Incorrect Calculation",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Missing check for \u0027from\u0027 and \u0027to\u0027 being the same before updating balances could lead to incorrect balance manipulation on self-transfers. Include a check to ensure \u0027from\u0027 and \u0027to\u0027 are not the same before updating balances to prevent balance manipulation during self-transfers."
},
"help": {
"markdown": "Missing check for \u0027from\u0027 and \u0027to\u0027 being the same before updating balances could lead to incorrect balance manipulation on self-transfers. Include a check to ensure \u0027from\u0027 and \u0027to\u0027 are not the same before updating balances to prevent balance manipulation during self-transfers.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx)\n - [https://blog.verichains.io/p/miner-project-attacked-by-vulnerabilities](https://blog.verichains.io/p/miner-project-attacked-by-vulnerabilities)\n - [https://x.com/shoucccc/status/1757777764646859121](https://x.com/shoucccc/status/1757777764646859121)\n",
"text": "Missing check for \u0027from\u0027 and \u0027to\u0027 being the same before updating balances could lead to incorrect balance manipulation on self-transfers. Include a check to ensure \u0027from\u0027 and \u0027to\u0027 are not the same before updating balances to prevent balance manipulation during self-transfers.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx",
"id": "solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx",
"name": "solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx",
"properties": {
"precision": "very-high",
"tags": [
"CWE-682: Incorrect Calculation",
"HIGH CONFIDENCE",
"OWASP-A7:2021 Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The code must not contain any of Unicode Direction Control Characters"
},
"help": {
"markdown": "The code must not contain any of Unicode Direction Control Characters\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters)\n - [https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo](https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo)\n",
"text": "The code must not contain any of Unicode Direction Control Characters\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters",
"id": "solidity.security.no-bidi-characters.no-bidi-characters",
"name": "solidity.security.no-bidi-characters.no-bidi-characters",
"properties": {
"precision": "very-high",
"tags": [
"CWE-837: Improper Enforcement of a Single, Unique Action",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.no-bidi-characters.no-bidi-characters"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "No slippage check in a Uniswap v2/v3 trade"
},
"help": {
"markdown": "No slippage check in a Uniswap v2/v3 trade\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.no-slippage-check.no-slippage-check)\n - [https://uniswapv3book.com/docs/milestone_3/slippage-protection/](https://uniswapv3book.com/docs/milestone_3/slippage-protection/)\n",
"text": "No slippage check in a Uniswap v2/v3 trade\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.no-slippage-check.no-slippage-check",
"id": "solidity.security.no-slippage-check.no-slippage-check",
"name": "solidity.security.no-slippage-check.no-slippage-check",
"properties": {
"precision": "very-high",
"tags": [
"CWE-682: Incorrect Calculation",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.no-slippage-check.no-slippage-check"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Proxy declares a state var that may override a storage slot of the implementation"
},
"help": {
"markdown": "Proxy declares a state var that may override a storage slot of the implementation\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.proxy-storage-collision.proxy-storage-collision)\n - [https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22](https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22)\n",
"text": "Proxy declares a state var that may override a storage slot of the implementation\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.proxy-storage-collision.proxy-storage-collision",
"id": "solidity.security.proxy-storage-collision.proxy-storage-collision",
"name": "solidity.security.proxy-storage-collision.proxy-storage-collision",
"properties": {
"precision": "very-high",
"tags": [
"CWE-787: Out-of-bounds Write",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.proxy-storage-collision.proxy-storage-collision"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "transferFrom() can steal allowance of other accounts"
},
"help": {
"markdown": "transferFrom() can steal allowance of other accounts\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug)\n - [https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5](https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5)\n - [https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C](https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C)\n",
"text": "transferFrom() can steal allowance of other accounts\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug",
"id": "solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug",
"name": "solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug",
"properties": {
"precision": "very-high",
"tags": [
"CWE-688: Function Call With Incorrect Variable or Reference as Argument",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "setMultipleAllowances() is missing onlyOwner modifier"
},
"help": {
"markdown": "setMultipleAllowances() is missing onlyOwner modifier\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control)\n - [https://twitter.com/danielvf/status/1494317265835147272](https://twitter.com/danielvf/status/1494317265835147272)\n - [https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8](https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8)\n - [https://play.secdim.com/game/dapp/challenge/rigoownsol](https://play.secdim.com/game/dapp/challenge/rigoownsol)\n",
"text": "setMultipleAllowances() is missing onlyOwner modifier\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control",
"id": "solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control",
"name": "solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control",
"properties": {
"precision": "very-high",
"tags": [
"CWE-284: Improper Access Control",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Oracle update is not restricted in $F()"
},
"help": {
"markdown": "Oracle update is not restricted in $F()\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control)\n - [https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0](https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0)\n",
"text": "Oracle update is not restricted in $F()\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control",
"id": "solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control",
"name": "solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control",
"properties": {
"precision": "very-high",
"tags": [
"CWE-284: Improper Access Control",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "A specially crafted calldata may be used to impersonate other accounts"
},
"help": {
"markdown": "A specially crafted calldata may be used to impersonate other accounts\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection)\n - [https://rekt.news/superfluid-rekt/](https://rekt.news/superfluid-rekt/)\n - [https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd](https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd)\n - [https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7](https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7)\n",
"text": "A specially crafted calldata may be used to impersonate other accounts\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection",
"id": "solidity.security.superfluid-ctx-injection.superfluid-ctx-injection",
"name": "solidity.security.superfluid-ctx-injection.superfluid-ctx-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-20: Improper Input Validation",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.superfluid-ctx-injection.superfluid-ctx-injection"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Parameter \"from\" is checked at incorrect position in \"_allowances\" mapping"
},
"help": {
"markdown": "Parameter \"from\" is checked at incorrect position in \"_allowances\" mapping\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug)\n - [https://twitter.com/Mauricio_0218/status/1490082073096462340](https://twitter.com/Mauricio_0218/status/1490082073096462340)\n - [https://etherscan.io/address/0xe38b72d6595fd3885d1d2f770aa23e94757f91a1](https://etherscan.io/address/0xe38b72d6595fd3885d1d2f770aa23e94757f91a1)\n",
"text": "Parameter \"from\" is checked at incorrect position in \"_allowances\" mapping\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug",
"id": "solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug",
"name": "solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug",
"properties": {
"precision": "very-high",
"tags": [
"CWE-688: Function Call With Incorrect Variable or Reference as Argument",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Potentially sensitive data was observed to be stored in UserDefaults, which is not adequate protection of sensitive information. For data of a sensitive nature, applications should leverage the Keychain."
},
"help": {
"markdown": "Potentially sensitive data was observed to be stored in UserDefaults, which is not adequate protection of sensitive information. For data of a sensitive nature, applications should leverage the Keychain.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n - [https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/](https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/)\n",
"text": "Potentially sensitive data was observed to be stored in UserDefaults, which is not adequate protection of sensitive information. For data of a sensitive nature, applications should leverage the Keychain.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults",
"id": "swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults",
"name": "swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Webviews were observed that explictly allow JavaScript in an WKWebview to open windows automatically. Consider disabling this functionality if not required, following the principle of least privelege."
},
"help": {
"markdown": "Webviews were observed that explictly allow JavaScript in an WKWebview to open windows automatically. Consider disabling this functionality if not required, following the principle of least privelege.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows)\n - [https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/](https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/)\n - [https://developer.apple.com/documentation/webkit/wkpreferences/1536573-javascriptcanopenwindowsautomati](https://developer.apple.com/documentation/webkit/wkpreferences/1536573-javascriptcanopenwindowsautomati)\n",
"text": "Webviews were observed that explictly allow JavaScript in an WKWebview to open windows automatically. Consider disabling this functionality if not required, following the principle of least privelege.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows",
"id": "swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows",
"name": "swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows",
"properties": {
"precision": "very-high",
"tags": [
"CWE-272: Least Privilege Violation",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS Athena Work Group is unencrypted. The AWS KMS encryption key protects backups in the work group. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."
},
"help": {
"markdown": "The AWS Athena Work Group is unencrypted. The AWS KMS encryption key protects backups in the work group. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "The AWS Athena Work Group is unencrypted. The AWS KMS encryption key protects backups in the work group. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted",
"id": "terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted",
"name": "terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS Backup vault is unencrypted. The AWS KMS encryption key protects backups in the Backup vault. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."
},
"help": {
"markdown": "The AWS Backup vault is unencrypted. The AWS KMS encryption key protects backups in the Backup vault. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS Backup vault is unencrypted. The AWS KMS encryption key protects backups in the Backup vault. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted",
"id": "terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted",
"name": "terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `\"TLSv1.2_2018\", \"TLSv1.2_2019\" or \"TLSv1.2_2021\"`."
},
"help": {
"markdown": "Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `\"TLSv1.2_2018\", \"TLSv1.2_2019\" or \"TLSv1.2_2021\"`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `\"TLSv1.2_2018\", \"TLSv1.2_2019\" or \"TLSv1.2_2021\"`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version",
"id": "terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version",
"name": "terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk",
"id": "terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk",
"name": "terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information."
},
"help": {
"markdown": "The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention",
"id": "terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention",
"name": "terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "By default, AWS CloudWatch Log Group is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your log group in CloudWatch. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so."
},
"help": {
"markdown": "By default, AWS CloudWatch Log Group is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your log group in CloudWatch. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n",
"text": "By default, AWS CloudWatch Log Group is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your log group in CloudWatch. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted",
"id": "terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted",
"name": "terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS CodeBuild Project Artifacts are unencrypted. The AWS KMS encryption key protects artifacts in the CodeBuild Projects. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."
},
"help": {
"markdown": "The AWS CodeBuild Project Artifacts are unencrypted. The AWS KMS encryption key protects artifacts in the CodeBuild Projects. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS CodeBuild Project Artifacts are unencrypted. The AWS KMS encryption key protects artifacts in the CodeBuild Projects. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted",
"id": "terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted",
"name": "terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."
},
"help": {
"markdown": "The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted",
"id": "terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted",
"name": "terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source."
},
"help": {
"markdown": "The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n",
"text": "The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions",
"id": "terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions",
"name": "terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions",
"properties": {
"precision": "very-high",
"tags": [
"CWE-778: Insufficient Logging",
"HIGH CONFIDENCE",
"OWASP-A09:2021 - Security Logging and Monitoring Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Database instance has no logging. Missing logs can cause missing important event information."
},
"help": {
"markdown": "Database instance has no logging. Missing logs can cause missing important event information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Database instance has no logging. Missing logs can cause missing important event information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging",
"id": "terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging",
"name": "terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk",
"id": "terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk",
"name": "terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch."
},
"help": {
"markdown": "Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n",
"text": "Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled",
"id": "terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled",
"name": "terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-778: Insufficient Logging",
"MEDIUM CONFIDENCE",
"OWASP-A09:2021 - Security Logging and Monitoring Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so."
},
"help": {
"markdown": "By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted",
"id": "terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted",
"name": "terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk",
"id": "terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk",
"name": "terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS."
},
"help": {
"markdown": "The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted",
"id": "terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted",
"name": "terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk",
"id": "terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk",
"name": "terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely."
},
"help": {
"markdown": "The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted)\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html)\n",
"text": "The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted",
"id": "terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted",
"name": "terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`."
},
"help": {
"markdown": "EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip",
"id": "terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip",
"name": "terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1220: Insufficient Granularity of Access Control",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2."
},
"help": {
"markdown": "The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata_options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata_options)\n - [https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service](https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service)\n",
"text": "The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled",
"id": "terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled",
"name": "terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1390: Weak Authentication",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting `image_tag_mutability` to IMMUTABLE."
},
"help": {
"markdown": "The ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting `image_tag_mutability` to IMMUTABLE.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_tag_mutability](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_tag_mutability)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/)\n",
"text": "The ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting `image_tag_mutability` to IMMUTABLE.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags",
"id": "terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags",
"name": "terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags",
"properties": {
"precision": "very-high",
"tags": [
"CWE-345: Insufficient Verification of Data Authenticity",
"MEDIUM CONFIDENCE",
"OWASP-A08:2021 - Software and Data Integrity Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege."
},
"help": {
"markdown": "Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy)\n - [https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html](https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html)\n - [https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n",
"text": "Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal",
"id": "terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal",
"name": "terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk",
"id": "terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk",
"name": "terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\"."
},
"help": {
"markdown": "Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\".\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\".\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version",
"id": "terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version",
"name": "terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure all Elasticsearch has node-to-node encryption enabled.\t"
},
"help": {
"markdown": "Ensure all Elasticsearch has node-to-node encryption enabled.\t\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure all Elasticsearch has node-to-node encryption enabled.\t\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled",
"id": "terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled",
"name": "terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "ELB has no logging. Missing logs can cause missing important event information."
},
"help": {
"markdown": "ELB has no logging. Missing logs can cause missing important event information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "ELB has no logging. Missing logs can cause missing important event information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled",
"id": "terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled",
"name": "terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk",
"id": "terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk",
"name": "terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk",
"id": "terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk",
"name": "terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk",
"id": "terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk",
"name": "terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk",
"id": "terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk",
"name": "terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure FSX Windows file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure FSX Windows file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure FSX Windows file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk",
"id": "terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk",
"name": "terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:\u003cidentity\u003e`."
},
"help": {
"markdown": "Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:\u003cidentity\u003e`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n",
"text": "Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:\u003cidentity\u003e`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal",
"id": "terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal",
"name": "terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."
},
"help": {
"markdown": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n",
"text": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin",
"id": "terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin",
"name": "terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."
},
"help": {
"markdown": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n",
"text": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy",
"id": "terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy",
"name": "terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure ImageBuilder component is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure ImageBuilder component is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure ImageBuilder component is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk",
"id": "terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk",
"name": "terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`."
},
"help": {
"markdown": "Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration",
"id": "terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration",
"name": "terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk",
"id": "terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk",
"name": "terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption."
},
"help": {
"markdown": "The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type)\n - [https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html](https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html)\n",
"text": "The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted",
"id": "terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted",
"name": "terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk",
"id": "terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk",
"name": "terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege."
},
"help": {
"markdown": "Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n",
"text": "Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal",
"id": "terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal",
"name": "terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`."
},
"help": {
"markdown": "The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation",
"id": "terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation",
"name": "terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials",
"id": "terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials",
"name": "terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so."
},
"help": {
"markdown": "By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted",
"id": "terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted",
"name": "terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The AWS Lambda permission has an AWS service principal but does not specify a source ARN. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. Set the source_arn value to the ARN of the AWS resource that invokes the function, eg. an S3 bucket, CloudWatch Events Rule, API Gateway, or SNS topic."
},
"help": {
"markdown": "The AWS Lambda permission has an AWS service principal but does not specify a source ARN. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. Set the source_arn value to the ARN of the AWS resource that invokes the function, eg. an S3 bucket, CloudWatch Events Rule, API Gateway, or SNS topic.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission)\n - [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html)\n",
"text": "The AWS Lambda permission has an AWS service principal but does not specify a source ARN. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. Set the source_arn value to the ARN of the AWS resource that invokes the function, eg. an S3 bucket, CloudWatch Events Rule, API Gateway, or SNS topic.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn",
"id": "terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn",
"name": "terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"HIGH CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts."
},
"help": {
"markdown": "The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active)\n - [https://cwe.mitre.org/data/definitions/778.html](https://cwe.mitre.org/data/definitions/778.html)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#mode](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#mode)\n - [https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html](https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html)\n",
"text": "The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active",
"id": "terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active",
"name": "terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active",
"properties": {
"precision": "very-high",
"tags": [
"CWE-778: Insufficient Logging",
"MEDIUM CONFIDENCE",
"OWASP-A09:2021 Security Logging and Monitoring Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
},
"help": {
"markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials",
"id": "terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials",
"name": "terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design."
},
"help": {
"markdown": "Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec)\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec)\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec)\n",
"text": "Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec",
"id": "terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec",
"name": "terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec",
"properties": {
"precision": "very-high",
"tags": [
"CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`."
},
"help": {
"markdown": "The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention",
"id": "terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention",
"name": "terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk",
"id": "terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk",
"name": "terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1220: Insufficient Granularity of Access Control",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure S3 bucket object is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure S3 bucket object is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure S3 bucket object is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk",
"id": "terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk",
"name": "terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk",
"id": "terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk",
"name": "terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure AWS Sagemaker domains are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure AWS Sagemaker domains are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure AWS Sagemaker domains are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk",
"id": "terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk",
"name": "terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "By default, AWS SecretManager secrets are encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your secrets in the Secret Manager. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so."
},
"help": {
"markdown": "By default, AWS SecretManager secrets are encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your secrets in the Secret Manager. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "By default, AWS SecretManager secrets are encrypted using AWS-managed keys. However, for added security, it\u0027s recommended to configure your own AWS KMS encryption key to protect your secrets in the Secret Manager. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted",
"id": "terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted",
"name": "terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Wildcard used in your SQS queue policy principal. This grants access to all users, including anonymous users (public access). Unless you explicitly require anyone on the internet to be able to read or write to your queue, limit principals, actions and resources to what you need according to least privilege."
},
"help": {
"markdown": "Wildcard used in your SQS queue policy principal. This grants access to all users, including anonymous users (public access). Unless you explicitly require anyone on the internet to be able to read or write to your queue, limit principals, actions and resources to what you need according to least privilege.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy)\n - [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html)\n",
"text": "Wildcard used in your SQS queue policy principal. This grants access to all users, including anonymous users (public access). Unless you explicitly require anyone on the internet to be able to read or write to your queue, limit principals, actions and resources to what you need according to least privilege.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal",
"id": "terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal",
"name": "terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."
},
"help": {
"markdown": "The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues",
"id": "terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues",
"name": "terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible."
},
"help": {
"markdown": "Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch)\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses)\n",
"text": "Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address",
"id": "terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address",
"name": "terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1220: Insufficient Granularity of Access Control",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure Timestream database is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
},
"help": {
"markdown": "Ensure Timestream database is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure Timestream database is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk",
"id": "terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk",
"name": "terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Transfer Server endpoint type should not have public or null configured in order to block public access. To fix this, set your `endpoint_type` to `\"VPC\"`."
},
"help": {
"markdown": "Transfer Server endpoint type should not have public or null configured in order to block public access. To fix this, set your `endpoint_type` to `\"VPC\"`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Transfer Server endpoint type should not have public or null configured in order to block public access. To fix this, set your `endpoint_type` to `\"VPC\"`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public",
"id": "terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public",
"name": "terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1220: Insufficient Granularity of Access Control",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."
},
"help": {
"markdown": "The AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted",
"id": "terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted",
"name": "terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"LOW CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."
},
"help": {
"markdown": "The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted",
"id": "terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted",
"name": "terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `ssl_policy` to `\"ELBSecurityPolicy-TLS13-1-2-Res-2021-06\"`, or include a default action to redirect to HTTPS."
},
"help": {
"markdown": "Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `ssl_policy` to `\"ELBSecurityPolicy-TLS13-1-2-Res-2021-06\"`, or include a default action to redirect to HTTPS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version)\n - [https://www.ietf.org/rfc/rfc5246.txt](https://www.ietf.org/rfc/rfc5246.txt)\n",
"text": "Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `ssl_policy` to `\"ELBSecurityPolicy-TLS13-1-2-Res-2021-06\"`, or include a default action to redirect to HTTPS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version",
"id": "terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version",
"name": "terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The AWS Athena Workgroup is unencrypted. Encryption protects query results in your workgroup. To enable, add: `encryption_configuration { encryption_option = \"SSE_KMS\" kms_key_arn = aws_kms_key.example.arn }` within `result_configuration { }` in your resource block, where `encryption_option` is your chosen encryption method and `kms_key_arn` is your KMS key ARN."
},
"help": {
"markdown": "The AWS Athena Workgroup is unencrypted. Encryption protects query results in your workgroup. To enable, add: `encryption_configuration { encryption_option = \"SSE_KMS\" kms_key_arn = aws_kms_key.example.arn }` within `result_configuration { }` in your resource block, where `encryption_option` is your chosen encryption method and `kms_key_arn` is your KMS key ARN.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "The AWS Athena Workgroup is unencrypted. Encryption protects query results in your workgroup. To enable, add: `encryption_configuration { encryption_option = \"SSE_KMS\" kms_key_arn = aws_kms_key.example.arn }` within `result_configuration { }` in your resource block, where `encryption_option` is your chosen encryption method and `kms_key_arn` is your KMS key ARN.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption",
"id": "terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption",
"name": "terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption",
"properties": {
"precision": "very-high",
"tags": [
"CWE-320: CWE CATEGORY: Key Management Errors",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this."
},
"help": {
"markdown": "`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy)\n - [https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy)\n - [https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/](https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/)\n",
"text": "`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy",
"id": "terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy",
"name": "terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1220: Insufficient Granularity of Access Control",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`."
},
"help": {
"markdown": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.wildcard-assume-role.wildcard-assume-role)\n - [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/)\n",
"text": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.aws.security.wildcard-assume-role.wildcard-assume-role",
"id": "terraform.aws.security.wildcard-assume-role.wildcard-assume-role",
"name": "terraform.aws.security.wildcard-assume-role.wildcard-assume-role",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.aws.security.wildcard-assume-role.wildcard-assume-role"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Registering the identity used by an App with AD allows it to interact with other services without using username and password. Set the `identity` block in your appservice."
},
"help": {
"markdown": "Registering the identity used by an App with AD allows it to interact with other services without using username and password. Set the `identity` block in your appservice.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#identity)\n",
"text": "Registering the identity used by an App with AD allows it to interact with other services without using username and password. Set the `identity` block in your appservice.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered",
"id": "terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered",
"name": "terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings"
},
"help": {
"markdown": "Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#auth_settings](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#auth_settings)\n",
"text": "Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled",
"id": "terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled",
"name": "terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block"
},
"help": {
"markdown": "Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled)\n",
"text": "Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2",
"id": "terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2",
"name": "terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2",
"properties": {
"precision": "very-high",
"tags": [
"CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "By default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting."
},
"help": {
"markdown": "By default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only)\n - [https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https](https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https)\n",
"text": "By default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only",
"id": "terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only",
"name": "terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Detected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block."
},
"help": {
"markdown": "Detected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#client_cert_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#client_cert_enabled)\n",
"text": "Detected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert",
"id": "terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert",
"name": "terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert",
"properties": {
"precision": "very-high",
"tags": [
"CWE-295: Improper Certificate Validation",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = \"1.2\"` in your resource block."
},
"help": {
"markdown": "Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = \"1.2\"` in your resource block.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version)\n",
"text": "Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = \"1.2\"` in your resource block.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy",
"id": "terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy",
"name": "terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"HIGH CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings"
},
"help": {
"markdown": "Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#enabled)\n",
"text": "Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled",
"id": "terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled",
"name": "terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"LOW CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your function app resource block"
},
"help": {
"markdown": "Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your function app resource block\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#http2_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#http2_enabled)\n",
"text": "Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your function app resource block\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2",
"id": "terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2",
"name": "terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2",
"properties": {
"precision": "very-high",
"tags": [
"CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Key vault Secret should have a content type set"
},
"help": {
"markdown": "Key vault Secret should have a content type set\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#content_type](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#content_type)\n - [https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets](https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets)\n",
"text": "Key vault Secret should have a content type set\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret",
"id": "terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret",
"name": "terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Ensure that the expiration date is set on all keys"
},
"help": {
"markdown": "Ensure that the expiration date is set on all keys\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key#expiration_date](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key#expiration_date)\n - [https://docs.microsoft.com/en-us/powershell/module/az.keyvault/update-azkeyvaultkey?view=azps-5.8.0#example-1--modify-a-key-to-enable-it--and-set-the-expiration-date-and-tags](https://docs.microsoft.com/en-us/powershell/module/az.keyvault/update-azkeyvaultkey?view=azps-5.8.0#example-1--modify-a-key-to-enable-it--and-set-the-expiration-date-and-tags)\n",
"text": "Ensure that the expiration date is set on all keys\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires",
"id": "terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires",
"name": "terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires",
"properties": {
"precision": "very-high",
"tags": [
"CWE-262: Not Using Password Aging",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Ensure that the expiration date is set on all secrets"
},
"help": {
"markdown": "Ensure that the expiration date is set on all secrets\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#expiration_date](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#expiration_date)\n - [https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets](https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets)\n",
"text": "Ensure that the expiration date is set on all secrets\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires",
"id": "terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires",
"name": "terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires",
"properties": {
"precision": "very-high",
"tags": [
"CWE-262: Not Using Password Aging",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Key vault should have purge protection enabled"
},
"help": {
"markdown": "Key vault should have purge protection enabled\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#purge_protection_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#purge_protection_enabled)\n - [https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview#purge-protection](https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview#purge-protection)\n",
"text": "Key vault should have purge protection enabled\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled",
"id": "terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled",
"name": "terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-693: Protection Mechanism Failure",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass."
},
"help": {
"markdown": "Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls)\n - [https://docs.microsoft.com/en-us/azure/key-vault/general/network-security](https://docs.microsoft.com/en-us/azure/key-vault/general/network-security)\n",
"text": "Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl",
"id": "terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl",
"name": "terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1220: Insufficient Granularity of Access Control",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Some Microsoft services that interact with storage accounts operate from networks that can\u0027t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules"
},
"help": {
"markdown": "Some Microsoft services that interact with storage accounts operate from networks that can\u0027t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#bypass](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#bypass)\n - [https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services](https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services)\n",
"text": "Some Microsoft services that interact with storage accounts operate from networks that can\u0027t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass",
"id": "terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass",
"name": "terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1220: Insufficient Granularity of Access Control",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block."
},
"help": {
"markdown": "Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action)\n - [https://docs.microsoft.com/en-us/azure/firewall/rule-processing](https://docs.microsoft.com/en-us/azure/firewall/rule-processing)\n",
"text": "Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny",
"id": "terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny",
"name": "terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny",
"properties": {
"precision": "very-high",
"tags": [
"CWE-16: CWE CATEGORY: Configuration",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block."
},
"help": {
"markdown": "Detected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-enforce-https.storage-enforce-https)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#enable_https_traffic_only](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#enable_https_traffic_only)\n - [https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer](https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer)\n",
"text": "Detected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.storage.storage-enforce-https.storage-enforce-https",
"id": "terraform.azure.security.storage.storage-enforce-https.storage-enforce-https",
"name": "terraform.azure.security.storage.storage-enforce-https.storage-enforce-https",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.storage.storage-enforce-https.storage-enforce-https"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Storage Analytics logs detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis."
},
"help": {
"markdown": "Storage Analytics logs detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#logging](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#logging)\n - [https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?tabs=dotnet](https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?tabs=dotnet)\n",
"text": "Storage Analytics logs detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging",
"id": "terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging",
"name": "terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging",
"properties": {
"precision": "very-high",
"tags": [
"CWE-778: Insufficient Logging",
"LOW CONFIDENCE",
"OWASP-A09:2021 - Security Logging and Monitoring Failures",
"OWASP-A10:2017 - Insufficient Logging \u0026 Monitoring",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2."
},
"help": {
"markdown": "Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version)\n - [https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version](https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version)\n",
"text": "Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy",
"id": "terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy",
"name": "terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure all Cloud SQL database instance require incoming connections to use SSL. To enable this for PostgresSQL and MySQL, use `ssl_mode=\"TRUSTED_CLIENT_CERTIFICATE_REQUIRED\"`."
},
"help": {
"markdown": "Ensure all Cloud SQL database instance require incoming connections to use SSL. To enable this for PostgresSQL and MySQL, use `ssl_mode=\"TRUSTED_CLIENT_CERTIFICATE_REQUIRED\"`.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql)\n - [https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration](https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure all Cloud SQL database instance require incoming connections to use SSL. To enable this for PostgresSQL and MySQL, use `ssl_mode=\"TRUSTED_CLIENT_CERTIFICATE_REQUIRED\"`.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql",
"id": "terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql",
"name": "terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure all Cloud SQL database instance require incoming connections to use SSL. For SQL Server, `ssl_mode=\"ENCRYPTED_ONLY\"` is the most secure value that is supported."
},
"help": {
"markdown": "Ensure all Cloud SQL database instance require incoming connections to use SSL. For SQL Server, `ssl_mode=\"ENCRYPTED_ONLY\"` is the most secure value that is supported.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver)\n - [https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration](https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
"text": "Ensure all Cloud SQL database instance require incoming connections to use SSL. For SQL Server, `ssl_mode=\"ENCRYPTED_ONLY\"` is the most secure value that is supported.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver",
"id": "terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver",
"name": "terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver",
"properties": {
"precision": "very-high",
"tags": [
"CWE-326: Inadequate Encryption Strength",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The ECR Repository isn\u0027t configured to scan images on push"
},
"help": {
"markdown": "The ECR Repository isn\u0027t configured to scan images on push\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push)\n - [https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components](https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components)\n",
"text": "The ECR Repository isn\u0027t configured to scan images on push\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push",
"id": "terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push",
"name": "terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1104: Use of Unmaintained Third Party Components",
"LOW CONFIDENCE",
"OWASP-A06:2021 - Vulnerable and Outdated Components",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Missing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs (\"api\") and audit logs (\"audit\") of the EKS control plane through the enabled_cluster_log_types attribute."
},
"help": {
"markdown": "Missing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs (\"api\") and audit logs (\"audit\") of the EKS control plane through the enabled_cluster_log_types attribute.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabling-control-plane-logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabling-control-plane-logging)\n - [https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html](https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html)\n",
"text": "Missing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs (\"api\") and audit logs (\"audit\") of the EKS control plane through the enabled_cluster_log_types attribute.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging",
"id": "terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging",
"name": "terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging",
"properties": {
"precision": "very-high",
"tags": [
"CWE-778: Insufficient Logging",
"LOW CONFIDENCE",
"OWASP-A09:2021 - Security Logging and Monitoring Failures",
"OWASP-A10:2017 - Insufficient Logging \u0026 Monitoring",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access"
},
"help": {
"markdown": "The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled",
"id": "terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled",
"name": "terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Encryption at rest is not enabled for the elastic search domain resource"
},
"help": {
"markdown": "Encryption at rest is not enabled for the elastic search domain resource\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Encryption at rest is not enabled for the elastic search domain resource\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest",
"id": "terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest",
"name": "terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"LOW CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "IAM policies that allow full \"*-*\" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE"
},
"help": {
"markdown": "IAM policies that allow full \"*-*\" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges)\n - [https://github.com/bridgecrewio/checkov/blob/master/checkov/terraform/checks/data/aws/AdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/master/checkov/terraform/checks/data/aws/AdminPolicyDocument.py)\n",
"text": "IAM policies that allow full \"*-*\" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges",
"id": "terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges",
"name": "terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure IAM policies don\u0027t allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn\u0027t return sensitive data as part of the API response."
},
"help": {
"markdown": "Ensure IAM policies don\u0027t allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn\u0027t return sensitive data as part of the API response.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/](https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py)\n",
"text": "Ensure IAM policies don\u0027t allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn\u0027t return sensitive data as part of the API response.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure",
"id": "terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure",
"name": "terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure that IAM policies don\u0027t allow data exfiltration actions that are not resource-constrained. This can allow the user to read sensitive data they don\u0027t need to read. Instead, make sure that the user granted these privileges are given these permissions on specific resources."
},
"help": {
"markdown": "Ensure that IAM policies don\u0027t allow data exfiltration actions that are not resource-constrained. This can allow the user to read sensitive data they don\u0027t need to read. Instead, make sure that the user granted these privileges are given these permissions on specific resources.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMDataExfiltration.py)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/](https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/)\n",
"text": "Ensure that IAM policies don\u0027t allow data exfiltration actions that are not resource-constrained. This can allow the user to read sensitive data they don\u0027t need to read. Instead, make sure that the user granted these privileges are given these permissions on specific resources.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration",
"id": "terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration",
"name": "terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions."
},
"help": {
"markdown": "Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs)\n - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/)\n",
"text": "Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs",
"id": "terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs",
"name": "terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure that IAM policies with permissions on other users don\u0027t allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE"
},
"help": {
"markdown": "Ensure that IAM policies with permissions on other users don\u0027t allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py)\n",
"text": "Ensure that IAM policies with permissions on other users don\u0027t allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users",
"id": "terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users",
"name": "terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure that groups of actions that include iam:PassRole and could result in privilege escalation are not all allowed for the same user. These actions could result in an attacker gaining full admin access of an AWS account. Try not to use these actions in conjuction."
},
"help": {
"markdown": "Ensure that groups of actions that include iam:PassRole and could result in privilege escalation are not all allowed for the same user. These actions could result in an attacker gaining full admin access of an AWS account. Try not to use these actions in conjuction.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/)\n - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)\n",
"text": "Ensure that groups of actions that include iam:PassRole and could result in privilege escalation are not all allowed for the same user. These actions could result in an attacker gaining full admin access of an AWS account. Try not to use these actions in conjuction.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles",
"id": "terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles",
"name": "terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure IAM policies don\u0027t allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn\u0027t expose AWS resources."
},
"help": {
"markdown": "Ensure IAM policies don\u0027t allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn\u0027t expose AWS resources.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/](https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py)\n",
"text": "Ensure IAM policies don\u0027t allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn\u0027t expose AWS resources.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure",
"id": "terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure",
"name": "terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Ensure that no IAM policies allow \"*\" as a statement\u0027s actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take."
},
"help": {
"markdown": "Ensure that no IAM policies allow \"*\" as a statement\u0027s actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py)\n",
"text": "Ensure that no IAM policies allow \"*\" as a statement\u0027s actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions",
"id": "terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions",
"name": "terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource."
},
"help": {
"markdown": "RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password)\n - [https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password)\n",
"text": "RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code",
"id": "terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code",
"name": "terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code",
"properties": {
"precision": "very-high",
"tags": [
"CWE-522: Insufficiently Protected Credentials",
"MEDIUM CONFIDENCE",
"OWASP-A02:2017 - Broken Authentication",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "RDS instance accessible from the Internet detected."
},
"help": {
"markdown": "RDS instance accessible from the Internet detected.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.rds-public-access.rds-public-access)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible)\n - [https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Hiding](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Hiding)\n",
"text": "RDS instance accessible from the Internet detected.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.rds-public-access.rds-public-access",
"id": "terraform.lang.security.rds-public-access.rds-public-access",
"name": "terraform.lang.security.rds-public-access.rds-public-access",
"properties": {
"precision": "very-high",
"tags": [
"CWE-1220: Insufficient Granularity of Access Control",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.rds-public-access.rds-public-access"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "CORS rule on bucket permits any origin"
},
"help": {
"markdown": "CORS rule on bucket permits any origin\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.s3-cors-all-origins.all-origins-allowed)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#using-cors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#using-cors)\n",
"text": "CORS rule on bucket permits any origin\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.s3-cors-all-origins.all-origins-allowed",
"id": "terraform.lang.security.s3-cors-all-origins.all-origins-allowed",
"name": "terraform.lang.security.s3-cors-all-origins.all-origins-allowed",
"properties": {
"precision": "very-high",
"tags": [
"CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.s3-cors-all-origins.all-origins-allowed"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "S3 bucket with public read access detected."
},
"help": {
"markdown": "S3 bucket with public read access detected.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl)\n - [https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl)\n",
"text": "S3 bucket with public read access detected.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket",
"id": "terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket",
"name": "terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "S3 bucket with public read-write access detected."
},
"help": {
"markdown": "S3 bucket with public read-write access detected.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl)\n - [https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl)\n",
"text": "S3 bucket with public read-write access detected.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket",
"id": "terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket",
"name": "terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket",
"properties": {
"precision": "very-high",
"tags": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info."
},
"help": {
"markdown": "This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html)\n",
"text": "This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket",
"id": "terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket",
"name": "terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference"
},
"help": {
"markdown": "Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable)\n - [https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/](https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/)\n",
"text": "Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable",
"id": "trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable",
"name": "trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable",
"properties": {
"precision": "very-high",
"tags": [
"CWE-665: Improper Initialization",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Iteration over a possibly empty map `$C`. This is likely a bug or redundant code"
},
"help": {
"markdown": "Iteration over a possibly empty map `$C`. This is likely a bug or redundant code\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map)\n - [https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/](https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/)\n",
"text": "Iteration over a possibly empty map `$C`. This is likely a bug or redundant code\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map",
"id": "trailofbits.go.iterate-over-empty-map.iterate-over-empty-map",
"name": "trailofbits.go.iterate-over-empty-map.iterate-over-empty-map",
"properties": {
"precision": "very-high",
"tags": [
"CWE-665: Improper Initialization",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.iterate-over-empty-map.iterate-over-empty-map"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Missing `RUnlock` on an `RWMutex` (`$T` variable) lock before returning from a function"
},
"help": {
"markdown": "Missing `RUnlock` on an `RWMutex` (`$T` variable) lock before returning from a function\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex)\n - [https://pkg.go.dev/sync#RWMutex](https://pkg.go.dev/sync#RWMutex)\n - [https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/](https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/)\n",
"text": "Missing `RUnlock` on an `RWMutex` (`$T` variable) lock before returning from a function\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex",
"id": "trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex",
"name": "trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex",
"properties": {
"precision": "very-high",
"tags": [
"CWE-667: Improper Locking",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations"
},
"help": {
"markdown": "Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return)\n - [https://pkg.go.dev/sync#Mutex](https://pkg.go.dev/sync#Mutex)\n - [https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/](https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/)\n",
"text": "Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return",
"id": "trailofbits.go.missing-unlock-before-return.missing-unlock-before-return",
"name": "trailofbits.go.missing-unlock-before-return.missing-unlock-before-return",
"properties": {
"precision": "very-high",
"tags": [
"CWE-667: Improper Locking",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.missing-unlock-before-return.missing-unlock-before-return"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Appending `$SLICE` from multiple goroutines is not concurrency safe"
},
"help": {
"markdown": "Appending `$SLICE` from multiple goroutines is not concurrency safe\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.racy-append-to-slice.racy-append-to-slice)\n - [https://go.dev/blog/maps#concurrency](https://go.dev/blog/maps#concurrency)\n",
"text": "Appending `$SLICE` from multiple goroutines is not concurrency safe\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.racy-append-to-slice.racy-append-to-slice",
"id": "trailofbits.go.racy-append-to-slice.racy-append-to-slice",
"name": "trailofbits.go.racy-append-to-slice.racy-append-to-slice",
"properties": {
"precision": "very-high",
"tags": [
"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.racy-append-to-slice.racy-append-to-slice"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Writing `$MAP` from multiple goroutines is not concurrency safe"
},
"help": {
"markdown": "Writing `$MAP` from multiple goroutines is not concurrency safe\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.racy-write-to-map.racy-write-to-map)\n - [https://go.dev/blog/maps#concurrency](https://go.dev/blog/maps#concurrency)\n",
"text": "Writing `$MAP` from multiple goroutines is not concurrency safe\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.racy-write-to-map.racy-write-to-map",
"id": "trailofbits.go.racy-write-to-map.racy-write-to-map",
"name": "trailofbits.go.racy-write-to-map.racy-write-to-map",
"properties": {
"precision": "very-high",
"tags": [
"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.racy-write-to-map.racy-write-to-map"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does not handle `nil` argument, as the `ServerCodec` interface requires. An incorrect implementation could lead to denial of service"
},
"help": {
"markdown": "The `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does not handle `nil` argument, as the `ServerCodec` interface requires. An incorrect implementation could lead to denial of service\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil)\n - [https://github.com/golang/go/blob/go1.15.2/src/net/rpc/server.go#L643-L658](https://github.com/golang/go/blob/go1.15.2/src/net/rpc/server.go#L643-L658)\n",
"text": "The `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does not handle `nil` argument, as the `ServerCodec` interface requires. An incorrect implementation could lead to denial of service\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil",
"id": "trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil",
"name": "trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil",
"properties": {
"precision": "very-high",
"tags": [
"CWE-476: NULL Pointer Dereference",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Downcasting or changing sign of an integer with `$CAST_METHOD` method"
},
"help": {
"markdown": "Downcasting or changing sign of an integer with `$CAST_METHOD` method\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast)\n - [https://github.com/golang/go/issues/30209](https://github.com/golang/go/issues/30209)\n",
"text": "Downcasting or changing sign of an integer with `$CAST_METHOD` method\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast",
"id": "trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast",
"name": "trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast",
"properties": {
"precision": "very-high",
"tags": [
"CWE-681: Incorrect Conversion between Numeric Types",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended"
},
"help": {
"markdown": "A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied)\n - [https://go101.org/article/concurrent-common-mistakes.html](https://go101.org/article/concurrent-common-mistakes.html)\n",
"text": "A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied",
"id": "trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied",
"name": "trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied",
"properties": {
"precision": "very-high",
"tags": [
"CWE-688: Function Call With Incorrect Variable or Reference as Argument",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Calling `$WG.Add` inside of an anonymous goroutine may result in `$WG.Wait`\nwaiting for more or less calls to `$WG.Done()` than expected\n"
},
"help": {
"markdown": "Calling `$WG.Add` inside of an anonymous goroutine may result in `$WG.Wait`\nwaiting for more or less calls to `$WG.Done()` than expected\n\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine)\n - [https://go101.org/article/concurrent-common-mistakes.html](https://go101.org/article/concurrent-common-mistakes.html)\n",
"text": "Calling `$WG.Add` inside of an anonymous goroutine may result in `$WG.Wait`\nwaiting for more or less calls to `$WG.Done()` than expected\n\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine",
"id": "trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine",
"name": "trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine",
"properties": {
"precision": "very-high",
"tags": [
"CWE-667: Improper Locking",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Calling `$WG.Wait()` inside a loop blocks the call to `$WG.Done()`"
},
"help": {
"markdown": "Calling `$WG.Wait()` inside a loop blocks the call to `$WG.Done()`\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop)\n - [https://go101.org/article/concurrent-common-mistakes.html](https://go101.org/article/concurrent-common-mistakes.html)\n",
"text": "Calling `$WG.Wait()` inside a loop blocks the call to `$WG.Done()`\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop",
"id": "trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop",
"name": "trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop",
"properties": {
"precision": "very-high",
"tags": [
"CWE-667: Improper Locking",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency"
},
"help": {
"markdown": "If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning)\n - [https://pytorch.org/docs/stable/data.html#memory-pinning](https://pytorch.org/docs/stable/data.html#memory-pinning)\n",
"text": "If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning",
"id": "trailofbits.python.automatic-memory-pinning.automatic-memory-pinning",
"name": "trailofbits.python.automatic-memory-pinning.automatic-memory-pinning",
"properties": {
"precision": "very-high",
"tags": [
"CWE-676: Use of Potentially Dangerous Function",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.python.automatic-memory-pinning.automatic-memory-pinning"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Found usage of the `$FLAVOR` library, which is vulnerable to attacks such as XML external entity (XXE) attacks"
},
"help": {
"markdown": "Found usage of the `$FLAVOR` library, which is vulnerable to attacks such as XML external entity (XXE) attacks\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.lxml-in-pandas.lxml-in-pandas)\n - [https://lxml.de/FAQ.html](https://lxml.de/FAQ.html)\n",
"text": "Found usage of the `$FLAVOR` library, which is vulnerable to attacks such as XML external entity (XXE) attacks\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.python.lxml-in-pandas.lxml-in-pandas",
"id": "trailofbits.python.lxml-in-pandas.lxml-in-pandas",
"name": "trailofbits.python.lxml-in-pandas.lxml-in-pandas",
"properties": {
"precision": "very-high",
"tags": [
"CWE-611: Improper Restriction of XML External Entity Reference",
"HIGH CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.python.lxml-in-pandas.lxml-in-pandas"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Usage of NumPy library inside PyTorch `$MODULE` module was found. Avoid mixing these libraries for efficiency and proper ONNX loading"
},
"help": {
"markdown": "Usage of NumPy library inside PyTorch `$MODULE` module was found. Avoid mixing these libraries for efficiency and proper ONNX loading\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules)\n - [https://tanelp.github.io/posts/a-bug-that-plagues-thousands-of-open-source-ml-projects](https://tanelp.github.io/posts/a-bug-that-plagues-thousands-of-open-source-ml-projects)\n",
"text": "Usage of NumPy library inside PyTorch `$MODULE` module was found. Avoid mixing these libraries for efficiency and proper ONNX loading\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules",
"id": "trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules",
"name": "trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules",
"properties": {
"precision": "very-high",
"tags": [
"MEDIUM CONFIDENCE"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method"
},
"help": {
"markdown": "Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.pickles-in-numpy.pickles-in-numpy)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n",
"text": "Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.python.pickles-in-numpy.pickles-in-numpy",
"id": "trailofbits.python.pickles-in-numpy.pickles-in-numpy",
"name": "trailofbits.python.pickles-in-numpy.pickles-in-numpy",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.python.pickles-in-numpy.pickles-in-numpy"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method"
},
"help": {
"markdown": "Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.pickles-in-pandas.pickles-in-pandas)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n",
"text": "Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.python.pickles-in-pandas.pickles-in-pandas",
"id": "trailofbits.python.pickles-in-pandas.pickles-in-pandas",
"name": "trailofbits.python.pickles-in-pandas.pickles-in-pandas",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.python.pickles-in-pandas.pickles-in-pandas"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX"
},
"help": {
"markdown": "Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n",
"text": "Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch",
"id": "trailofbits.python.pickles-in-pytorch.pickles-in-pytorch",
"name": "trailofbits.python.pickles-in-pytorch.pickles-in-pytorch",
"properties": {
"precision": "very-high",
"tags": [
"CWE-502: Deserialization of Untrusted Data",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.python.pickles-in-pytorch.pickles-in-pytorch"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker"
},
"help": {
"markdown": "Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal)\n - [https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall](https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall)\n",
"text": "Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal",
"id": "trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal",
"name": "trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal",
"properties": {
"precision": "very-high",
"tags": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detected the use of `$TRUST`. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use `$TRUST`, ensure it does not come from user-input or use the appropriate prevention mechanism e.g. input validation or sanitization depending on the context."
},
"help": {
"markdown": "Detected the use of `$TRUST`. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use `$TRUST`, ensure it does not come from user-input or use the appropriate prevention mechanism e.g. input validation or sanitization depending on the context.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust)\n - [https://angular.io/api/platform-browser/DomSanitizer](https://angular.io/api/platform-browser/DomSanitizer)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n",
"text": "Detected the use of `$TRUST`. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use `$TRUST`, ensure it does not come from user-input or use the appropriate prevention mechanism e.g. input validation or sanitization depending on the context.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust",
"id": "typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust",
"name": "typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X"
},
"help": {
"markdown": "Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\n",
"text": "Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption",
"id": "typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption",
"name": "typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true"
},
"help": {
"markdown": "Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\n",
"text": "Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl",
"id": "typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl",
"name": "typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Queue $X is missing encryption at rest. Add \"encryption: $Y.QueueEncryption.KMS\" or \"encryption: $Y.QueueEncryption.KMS_MANAGED\" to the queue props to enable encryption at rest for the queue."
},
"help": {
"markdown": "Queue $X is missing encryption at rest. Add \"encryption: $Y.QueueEncryption.KMS\" or \"encryption: $Y.QueueEncryption.KMS_MANAGED\" to the queue props to enable encryption at rest for the queue.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue)\n - [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-data-protection.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-data-protection.html)\n",
"text": "Queue $X is missing encryption at rest. Add \"encryption: $Y.QueueEncryption.KMS\" or \"encryption: $Y.QueueEncryption.KMS_MANAGED\" to the queue props to enable encryption at rest for the queue.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue",
"id": "typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue",
"name": "typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue",
"properties": {
"precision": "very-high",
"tags": [
"CWE-311: Missing Encryption of Sensitive Data",
"MEDIUM CONFIDENCE",
"OWASP-A03:2017 - Sensitive Data Exposure",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Using the GrantPublicAccess method on bucket contruct $X will make the objects in the bucket world accessible. Verify if this is intentional."
},
"help": {
"markdown": "Using the GrantPublicAccess method on bucket contruct $X will make the objects in the bucket world accessible. Verify if this is intentional.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html)\n",
"text": "Using the GrantPublicAccess method on bucket contruct $X will make the objects in the bucket world accessible. Verify if this is intentional.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod",
"id": "typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod",
"name": "typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod",
"properties": {
"precision": "very-high",
"tags": [
"CWE-306: Missing Authentication for Critical Function",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project."
},
"help": {
"markdown": "CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public)\n - [https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html](https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html)\n",
"text": "CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public",
"id": "typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public",
"name": "typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public",
"properties": {
"precision": "very-high",
"tags": [
"CWE-306: Missing Authentication for Critical Function",
"MEDIUM CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Unescaped \u0027.\u0027 character in CORS domain regex $CORS: $PATTERN"
},
"help": {
"markdown": "Unescaped \u0027.\u0027 character in CORS domain regex $CORS: $PATTERN\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Unescaped \u0027.\u0027 character in CORS domain regex $CORS: $PATTERN\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard",
"id": "typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard",
"name": "typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard",
"properties": {
"precision": "very-high",
"tags": [
"CWE-183: Permissive List of Allowed Inputs",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."
},
"help": {
"markdown": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
"text": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any",
"id": "typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any",
"name": "typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any",
"properties": {
"precision": "very-high",
"tags": [
"CWE-183: Permissive List of Allowed Inputs",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "X-XSS-Protection header is set to 0. This will disable the browser\u0027s XSS Filter."
},
"help": {
"markdown": "X-XSS-Protection header is set to 0. This will disable the browser\u0027s XSS Filter.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
"text": "X-XSS-Protection header is set to 0. This will disable the browser\u0027s XSS Filter.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled",
"id": "typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled",
"name": "typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Untrusted user input in {url: ...} can result in Open Redirect vulnerability."
},
"help": {
"markdown": "Untrusted user input in {url: ...} can result in Open Redirect vulnerability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
"text": "Untrusted user input in {url: ...} can result in Open Redirect vulnerability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect",
"id": "typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect",
"name": "typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect",
"properties": {
"precision": "very-high",
"tags": [
"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detection of dangerouslySetInnerHTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize your HTML."
},
"help": {
"markdown": "Detection of dangerouslySetInnerHTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml)\n - [https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html](https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html)\n",
"text": "Detection of dangerouslySetInnerHTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml",
"id": "typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml",
"name": "typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Property decoded from JWT token without verifying and cannot be trustworthy."
},
"help": {
"markdown": "Property decoded from JWT token without verifying and cannot be trustworthy.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property)\n - [https://pragmaticwebsecurity.com/articles/oauthoidc/localstorage-xss.html](https://pragmaticwebsecurity.com/articles/oauthoidc/localstorage-xss.html)\n",
"text": "Property decoded from JWT token without verifying and cannot be trustworthy.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property",
"id": "typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property",
"name": "typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property",
"properties": {
"precision": "very-high",
"tags": [
"CWE-922: Insecure Storage of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie."
},
"help": {
"markdown": "Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies)\n",
"text": "Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage",
"id": "typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage",
"name": "typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage",
"properties": {
"precision": "very-high",
"tags": [
"CWE-922: Insecure Storage of Sensitive Information",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML."
},
"help": {
"markdown": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method)\n - [https://developer.mozilla.org/en-US/docs/Web/API/Document/writeln](https://developer.mozilla.org/en-US/docs/Web/API/Document/writeln)\n - [https://developer.mozilla.org/en-US/docs/Web/API/Document/write](https://developer.mozilla.org/en-US/docs/Web/API/Document/write)\n - [https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML)\n",
"text": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method",
"id": "typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method",
"name": "typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Unencrypted request over HTTP detected."
},
"help": {
"markdown": "Unencrypted request over HTTP detected.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request)\n - [https://www.npmjs.com/package/axios](https://www.npmjs.com/package/axios)\n",
"text": "Unencrypted request over HTTP detected.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request",
"id": "typescript.react.security.react-insecure-request.react-insecure-request",
"name": "typescript.react.security.react-insecure-request.react-insecure-request",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.react.security.react-insecure-request.react-insecure-request"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors."
},
"help": {
"markdown": "Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html)\n - [https://www.npmjs.com/package/react-markdown#security](https://www.npmjs.com/package/react-markdown#security)\n",
"text": "Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html",
"id": "typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html",
"name": "typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html",
"properties": {
"precision": "very-high",
"tags": [
"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"LOW CONFIDENCE",
"OWASP-A03:2021 - Injection",
"OWASP-A07:2017 - Cross-Site Scripting (XSS)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Using input or workflow parameters in here-scripts can lead to command injection or code injection. Convert the parameters to env variables instead."
},
"help": {
"markdown": "Using input or workflow parameters in here-scripts can lead to command injection or code injection. Convert the parameters to env variables instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection)\n - [https://github.com/argoproj/argo-workflows/issues/5061](https://github.com/argoproj/argo-workflows/issues/5061)\n - [https://github.com/argoproj/argo-workflows/issues/5114#issue-808865370](https://github.com/argoproj/argo-workflows/issues/5114#issue-808865370)\n",
"text": "Using input or workflow parameters in here-scripts can lead to command injection or code injection. Convert the parameters to env variables instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection",
"id": "yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection",
"name": "yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"MEDIUM CONFIDENCE",
"OWASP-A03:2021 \u2013 Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Exposing host\u0027s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove \u0027docker.sock\u0027 from volumes to prevent this."
},
"help": {
"markdown": "Exposing host\u0027s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove \u0027docker.sock\u0027 from volumes to prevent this.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume)\n - [https://docs.docker.com/compose/compose-file/compose-file-v3/#volume-configuration-reference](https://docs.docker.com/compose/compose-file/compose-file-v3/#volume-configuration-reference)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers)\n",
"text": "Exposing host\u0027s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove \u0027docker.sock\u0027 from volumes to prevent this.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume",
"id": "yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume",
"name": "yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Service \u0027$SERVICE\u0027 allows for privilege escalation via setuid or setgid binaries. Add \u0027no-new-privileges:true\u0027 in \u0027security_opt\u0027 to prevent this."
},
"help": {
"markdown": "Service \u0027$SERVICE\u0027 allows for privilege escalation via setuid or setgid binaries. Add \u0027no-new-privileges:true\u0027 in \u0027security_opt\u0027 to prevent this.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges)\n - [https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n",
"text": "Service \u0027$SERVICE\u0027 allows for privilege escalation via setuid or setgid binaries. Add \u0027no-new-privileges:true\u0027 in \u0027security_opt\u0027 to prevent this.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges",
"id": "yaml.docker-compose.security.no-new-privileges.no-new-privileges",
"name": "yaml.docker-compose.security.no-new-privileges.no-new-privileges",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.docker-compose.security.no-new-privileges.no-new-privileges"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Service \u0027$SERVICE\u0027 is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the \u0027privileged\u0027 key to disable this capability."
},
"help": {
"markdown": "Service \u0027$SERVICE\u0027 is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the \u0027privileged\u0027 key to disable this capability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service)\n - [https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html](https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html)\n - [https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/](https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/)\n",
"text": "Service \u0027$SERVICE\u0027 is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the \u0027privileged\u0027 key to disable this capability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service",
"id": "yaml.docker-compose.security.privileged-service.privileged-service",
"name": "yaml.docker-compose.security.privileged-service.privileged-service",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"HIGH CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.docker-compose.security.privileged-service.privileged-service"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Service \u0027$SERVICE\u0027 is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove \u0027seccomp:unconfined\u0027 to prevent this."
},
"help": {
"markdown": "Service \u0027$SERVICE\u0027 is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove \u0027seccomp:unconfined\u0027 to prevent this.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled)\n - [https://docs.docker.com/engine/security/seccomp/](https://docs.docker.com/engine/security/seccomp/)\n",
"text": "Service \u0027$SERVICE\u0027 is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove \u0027seccomp:unconfined\u0027 to prevent this.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled",
"id": "yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled",
"name": "yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-284: Improper Access Control",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Service \u0027$SERVICE\u0027 is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove \u0027label:disable\u0027 to prevent this."
},
"help": {
"markdown": "Service \u0027$SERVICE\u0027 is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove \u0027label:disable\u0027 to prevent this.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled)\n - [https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/](https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/)\n - [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration)\n",
"text": "Service \u0027$SERVICE\u0027 is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove \u0027label:disable\u0027 to prevent this.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled",
"id": "yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled",
"name": "yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-284: Improper Access Control",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Service \u0027$SERVICE\u0027 is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add \u0027read_only: true\u0027 to this service to prevent this."
},
"help": {
"markdown": "Service \u0027$SERVICE\u0027 is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add \u0027read_only: true\u0027 to this service to prevent this.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service)\n - [https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir](https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir)\n - [https://blog.atomist.com/security-of-docker-kubernetes/](https://blog.atomist.com/security-of-docker-kubernetes/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only)\n",
"text": "Service \u0027$SERVICE\u0027 is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add \u0027read_only: true\u0027 to this service to prevent this.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service",
"id": "yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service",
"name": "yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "The environment variable `ACTIONS_ALLOW_UNSECURE_COMMANDS` grants this workflow permissions to use the `set-env` and `add-path` commands. There is a vulnerability in these commands that could result in environment variables being modified by an attacker. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. This could result in stolen code or secrets. Don\u0027t use `ACTIONS_ALLOW_UNSECURE_COMMANDS`. Instead, use Environment Files. See https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files for more information."
},
"help": {
"markdown": "The environment variable `ACTIONS_ALLOW_UNSECURE_COMMANDS` grants this workflow permissions to use the `set-env` and `add-path` commands. There is a vulnerability in these commands that could result in environment variables being modified by an attacker. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. This could result in stolen code or secrets. Don\u0027t use `ACTIONS_ALLOW_UNSECURE_COMMANDS`. Instead, use Environment Files. See https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files for more information.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands)\n - [https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/](https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/)\n - [https://github.com/actions/toolkit/security/advisories/GHSA-mfwh-5m23-j46w](https://github.com/actions/toolkit/security/advisories/GHSA-mfwh-5m23-j46w)\n - [https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files](https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files)\n",
"text": "The environment variable `ACTIONS_ALLOW_UNSECURE_COMMANDS` grants this workflow permissions to use the `set-env` and `add-path` commands. There is a vulnerability in these commands that could result in environment variables being modified by an attacker. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. This could result in stolen code or secrets. Don\u0027t use `ACTIONS_ALLOW_UNSECURE_COMMANDS`. Instead, use Environment Files. See https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files for more information.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands",
"id": "yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands",
"name": "yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands",
"properties": {
"precision": "very-high",
"tags": [
"CWE-749: Exposed Dangerous Method or Function",
"MEDIUM CONFIDENCE",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity."
},
"help": {
"markdown": "Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.curl-eval.curl-eval)\n - [https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\n",
"text": "Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.github-actions.security.curl-eval.curl-eval",
"id": "yaml.github-actions.security.curl-eval.curl-eval",
"name": "yaml.github-actions.security.curl-eval.curl-eval",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"LOW CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.github-actions.security.curl-eval.curl-eval"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`\u0027s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"."
},
"help": {
"markdown": "Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`\u0027s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection)\n - [https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\n - [https://securitylab.github.com/research/github-actions-untrusted-input/](https://securitylab.github.com/research/github-actions-untrusted-input/)\n - [https://github.com/actions/github-script](https://github.com/actions/github-script)\n",
"text": "Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`\u0027s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection",
"id": "yaml.github-actions.security.github-script-injection.github-script-injection",
"name": "yaml.github-actions.security.github-script-injection.github-script-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.github-actions.security.github-script-injection.github-script-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This GitHub Actions workflow file uses `pull_request_target` and checks out code from the incoming pull request. When using `pull_request_target`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you\u0027re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations."
},
"help": {
"markdown": "This GitHub Actions workflow file uses `pull_request_target` and checks out code from the incoming pull request. When using `pull_request_target`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you\u0027re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout)\n - [https://securitylab.github.com/research/github-actions-preventing-pwn-requests/](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)\n - [https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md](https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md)\n",
"text": "This GitHub Actions workflow file uses `pull_request_target` and checks out code from the incoming pull request. When using `pull_request_target`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you\u0027re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout",
"id": "yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout",
"name": "yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout",
"properties": {
"precision": "very-high",
"tags": [
"CWE-913: Improper Control of Dynamically-Managed Code Resources",
"LOW CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"."
},
"help": {
"markdown": "Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection)\n - [https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\n - [https://securitylab.github.com/research/github-actions-untrusted-input/](https://securitylab.github.com/research/github-actions-untrusted-input/)\n",
"text": "Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection",
"id": "yaml.github-actions.security.run-shell-injection.run-shell-injection",
"name": "yaml.github-actions.security.run-shell-injection.run-shell-injection",
"properties": {
"precision": "very-high",
"tags": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"HIGH CONFIDENCE",
"OWASP-A01:2017 - Injection",
"OWASP-A03:2021 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you\u0027re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations."
},
"help": {
"markdown": "This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you\u0027re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout)\n - [https://securitylab.github.com/research/github-actions-preventing-pwn-requests/](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)\n - [https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md](https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md)\n - [https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)\n",
"text": "This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you\u0027re now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout",
"id": "yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout",
"name": "yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout",
"properties": {
"precision": "very-high",
"tags": [
"CWE-913: Improper Control of Dynamically-Managed Code Resources",
"MEDIUM CONFIDENCE",
"OWASP-A01:2017 - Injection",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks."
},
"help": {
"markdown": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n",
"text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext",
"id": "yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext",
"name": "yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks."
},
"help": {
"markdown": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n",
"text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true",
"id": "yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true",
"name": "yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` parameter to your the `securityContext`, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks."
},
"help": {
"markdown": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` parameter to your the `securityContext`, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n",
"text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` parameter to your the `securityContext`, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation",
"id": "yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation",
"name": "yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation",
"properties": {
"precision": "very-high",
"tags": [
"CWE-732: Incorrect Permission Assignment for Critical Resource",
"MEDIUM CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Do not set FLASK_ENV to \"development\" since that sets `debug=True` in Flask. Use \"dev\" or a similar term instead."
},
"help": {
"markdown": "Do not set FLASK_ENV to \"development\" since that sets `debug=True` in Flask. Use \"dev\" or a similar term instead.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled)\n - [https://flask.palletsprojects.com/en/2.0.x/debugging/](https://flask.palletsprojects.com/en/2.0.x/debugging/)\n - [https://flask.palletsprojects.com/en/2.0.x/config/#ENV](https://flask.palletsprojects.com/en/2.0.x/config/#ENV)\n",
"text": "Do not set FLASK_ENV to \"development\" since that sets `debug=True` in Flask. Use \"dev\" or a similar term instead.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled",
"id": "yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled",
"name": "yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-489: Active Debug Code",
"LOW CONFIDENCE",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Exposing host\u0027s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove \u0027docker.sock\u0027 from hostpath to prevent this."
},
"help": {
"markdown": "Exposing host\u0027s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove \u0027docker.sock\u0027 from hostpath to prevent this.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath)\n - [https://kubernetes.io/docs/concepts/storage/volumes/#hostpath](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers)\n",
"text": "Exposing host\u0027s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove \u0027docker.sock\u0027 from hostpath to prevent this.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath",
"id": "yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath",
"name": "yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Pod is sharing the host IPC namespace. This allows container processes to communicate with processes on the host which reduces isolation and bypasses container protection models. Remove the \u0027hostIPC\u0027 key to disable this functionality."
},
"help": {
"markdown": "Pod is sharing the host IPC namespace. This allows container processes to communicate with processes on the host which reduces isolation and bypasses container protection models. Remove the \u0027hostIPC\u0027 key to disable this functionality.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostipc-pod.hostipc-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n",
"text": "Pod is sharing the host IPC namespace. This allows container processes to communicate with processes on the host which reduces isolation and bypasses container protection models. Remove the \u0027hostIPC\u0027 key to disable this functionality.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.hostipc-pod.hostipc-pod",
"id": "yaml.kubernetes.security.hostipc-pod.hostipc-pod",
"name": "yaml.kubernetes.security.hostipc-pod.hostipc-pod",
"properties": {
"precision": "very-high",
"tags": [
"CWE-693: Protection Mechanism Failure",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.hostipc-pod.hostipc-pod"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the \u0027hostNetwork\u0027 key to disable this functionality."
},
"help": {
"markdown": "Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the \u0027hostNetwork\u0027 key to disable this functionality.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n",
"text": "Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the \u0027hostNetwork\u0027 key to disable this functionality.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod",
"id": "yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod",
"name": "yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod",
"properties": {
"precision": "very-high",
"tags": [
"CWE-406: Insufficient Control of Network Message Volume (Network Amplification)",
"LOW CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the \u0027hostPID\u0027 key to disable this functionality."
},
"help": {
"markdown": "Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the \u0027hostPID\u0027 key to disable this functionality.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n",
"text": "Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the \u0027hostPID\u0027 key to disable this functionality.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod",
"id": "yaml.kubernetes.security.hostpid-pod.hostpid-pod",
"name": "yaml.kubernetes.security.hostpid-pod.hostpid-pod",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"LOW CONFIDENCE",
"OWASP-A04:2021 - Insecure Design",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.hostpid-pod.hostpid-pod"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. Attaching excessive permissions to a ClusterRole associated with the core namespace allows the V1 API to perform arbitrary actions on arbitrary resources attached to the cluster. Prefer explicit allowlists of verbs/resources when configuring the core API namespace. "
},
"help": {
"markdown": "Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. Attaching excessive permissions to a ClusterRole associated with the core namespace allows the V1 API to perform arbitrary actions on arbitrary resources attached to the cluster. Prefer explicit allowlists of verbs/resources when configuring the core API namespace. \n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions)\n - [https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole)\n - [https://kubernetes.io/docs/concepts/security/rbac-good-practices/#general-good-practice](https://kubernetes.io/docs/concepts/security/rbac-good-practices/#general-good-practice)\n - [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#api-groups](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#api-groups)\n",
"text": "Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. Attaching excessive permissions to a ClusterRole associated with the core namespace allows the V1 API to perform arbitrary actions on arbitrary resources attached to the cluster. Prefer explicit allowlists of verbs/resources when configuring the core API namespace. \n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions",
"id": "yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions",
"name": "yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions",
"properties": {
"precision": "very-high",
"tags": [
"CWE-269: Improper Privilege Management",
"HIGH CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the \u0027privileged\u0027 key to disable this capability."
},
"help": {
"markdown": "Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the \u0027privileged\u0027 key to disable this capability.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.privileged-container.privileged-container)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)\n",
"text": "Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the \u0027privileged\u0027 key to disable this capability.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.privileged-container.privileged-container",
"id": "yaml.kubernetes.security.privileged-container.privileged-container",
"name": "yaml.kubernetes.security.privileged-container.privileged-container",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"MEDIUM CONFIDENCE",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.privileged-container.privileged-container"
}
},
{
"defaultConfiguration": {
"level": "note"
},
"fullDescription": {
"text": "When running containers in Kubernetes, it\u0027s important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks."
},
"help": {
"markdown": "When running containers in Kubernetes, it\u0027s important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root.run-as-non-root)\n - [https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/](https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user)\n",
"text": "When running containers in Kubernetes, it\u0027s important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it\u0027s recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root.run-as-non-root",
"id": "yaml.kubernetes.security.run-as-non-root.run-as-non-root",
"name": "yaml.kubernetes.security.run-as-non-root.run-as-non-root",
"properties": {
"precision": "very-high",
"tags": [
"CWE-250: Execution with Unnecessary Privileges",
"LOW CONFIDENCE",
"OWASP-A05:2021 - Security Misconfiguration",
"OWASP-A06:2017 - Security Misconfiguration",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.run-as-non-root.run-as-non-root"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Container is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove \u0027seccompProfile: unconfined\u0027 to prevent this."
},
"help": {
"markdown": "Container is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove \u0027seccompProfile: unconfined\u0027 to prevent this.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n",
"text": "Container is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove \u0027seccompProfile: unconfined\u0027 to prevent this.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled",
"id": "yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled",
"name": "yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled",
"properties": {
"precision": "very-high",
"tags": [
"CWE-284: Improper Access Control",
"MEDIUM CONFIDENCE",
"OWASP-A01:2021 - Broken Access Control",
"OWASP-A05:2017 - Broken Access Control",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the \u0027insecure-skip-tls-verify: true\u0027 key to secure communication."
},
"help": {
"markdown": "Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the \u0027insecure-skip-tls-verify: true\u0027 key to secure communication.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster)\n - [https://kubernetes.io/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-Cluster](https://kubernetes.io/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-Cluster)\n",
"text": "Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the \u0027insecure-skip-tls-verify: true\u0027 key to secure communication.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster",
"id": "yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster",
"name": "yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the \u0027insecureSkipTLSVerify: true\u0027 key to secure communication."
},
"help": {
"markdown": "Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the \u0027insecureSkipTLSVerify: true\u0027 key to secure communication.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service)\n - [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io)\n",
"text": "Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the \u0027insecureSkipTLSVerify: true\u0027 key to secure communication.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service",
"id": "yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service",
"name": "yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service",
"properties": {
"precision": "very-high",
"tags": [
"CWE-319: Cleartext Transmission of Sensitive Information",
"MEDIUM CONFIDENCE",
"OWASP-A02:2021 - Cryptographic Failures",
"OWASP-A03:2017 - Sensitive Data Exposure",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Found \u0027x-openai-isConsequential: false\u0027 in a state-changing HTTP method: $METHOD $PATH. This Action configuration will enable the \u0027Always Allow\u0027 option for state-changing HTTP methods, such as POST, PUT, PATCH, or DELETE. The risk of a user selecting the \u0027Always Allow\u0027 button is that the agent could perform unintended actions on behalf of the user. When working with sensitive functionality, it is always best to include a Human In The Loop (HITL) type of control. Consider the trade-off between security and user friction and then make a risk-based decision about this function."
},
"help": {
"markdown": "Found \u0027x-openai-isConsequential: false\u0027 in a state-changing HTTP method: $METHOD $PATH. This Action configuration will enable the \u0027Always Allow\u0027 option for state-changing HTTP methods, such as POST, PUT, PATCH, or DELETE. The risk of a user selecting the \u0027Always Allow\u0027 button is that the agent could perform unintended actions on behalf of the user. When working with sensitive functionality, it is always best to include a Human In The Loop (HITL) type of control. Consider the trade-off between security and user friction and then make a risk-based decision about this function.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false)\n - [https://platform.openai.com/docs/actions/consequential-flag](https://platform.openai.com/docs/actions/consequential-flag)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n - [https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-2023-v1_1.pdf](https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-2023-v1_1.pdf)\n",
"text": "Found \u0027x-openai-isConsequential: false\u0027 in a state-changing HTTP method: $METHOD $PATH. This Action configuration will enable the \u0027Always Allow\u0027 option for state-changing HTTP methods, such as POST, PUT, PATCH, or DELETE. The risk of a user selecting the \u0027Always Allow\u0027 button is that the agent could perform unintended actions on behalf of the user. When working with sensitive functionality, it is always best to include a Human In The Loop (HITL) type of control. Consider the trade-off between security and user friction and then make a risk-based decision about this function.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false",
"id": "yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false",
"name": "yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false",
"properties": {
"precision": "very-high",
"tags": [
"CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
"HIGH CONFIDENCE",
"OWASP-A04:2021 Insecure Design",
"OWASP-LLM08:2023 - Excessive Agency",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS."
},
"help": {
"markdown": "Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\n\n\u003cb\u003eReferences:\u003c/b\u003e\n - [Semgrep Rule](https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication)\n - [https://cwe.mitre.org/data/definitions/287.html](https://cwe.mitre.org/data/definitions/287.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n",
"text": "Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
},
"helpUri": "https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication",
"id": "yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication",
"name": "yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication",
"properties": {
"precision": "very-high",
"tags": [
"CWE-287: Improper Authentication",
"HIGH CONFIDENCE",
"OWASP-A04:2021 Insecure Design",
"OWASP-A07:2021 Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication"
}
}
],
"semanticVersion": "1.143.1"
}
}
}
],
"version": "2.1.0"
},
{
"invocations": [
{
"endTimeUtc": "2025-11-16T13:15:35.192986+00:00",
"executionSuccessful": true
}
],
"results": [
{
"level": "error",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 10,
"startLine": 21
}
}
}
],
"message": {
"text": "Name \"db.Model\" is not defined"
},
"properties": {
"severity": "high"
},
"ruleId": "type-check"
}
],
"tool": {
"driver": {
"informationUri": "https://github.com/PyCQA/mypy",
"name": "mypy",
"version": "unknown"
}
}
},
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"results": [],
"tool": {
"driver": {
"informationUri": "https://github.com/astral-sh/ruff",
"name": "ruff",
"rules": [],
"version": "0.14.5"
}
}
}
],
"version": "2.1.0"
}
],
"version": "2.1.0"
},
"summary": {
"analysis_status": "completed",
"configuration_preset": "default",
"severity_breakdown": {
"error": 0,
"high": 0,
"info": 0,
"low": 4,
"medium": 14,
"warning": 0
},
"tools_run_successfully": 3,
"total_issues_found": 20
},
"tools_used": [
"bandit",
"pylint",
"semgrep",
"mypy",
"safety",
"vulture",
"ruff",
"eslint"
]
},
"service": "static-analyzer",
"status": "success",
"timestamp": "2025-11-16T13:15:42.877961",
"type": "static_analysis_result"
}
},
"summary": {
"overall_status": "completed",
"services_completed": [
"static",
"performance",
"dynamic",
"ai"
],
"total_findings": 20
},
"task_name": "task_d046453d3526"
},
"results": {
"services": {
"ai": {
"analysis": {
"metadata": {
"ai_model_used": "anthropic/claude-3-5-haiku",
"analysis_time": "2025-11-16T13:20:11.515933",
"app_number": 1,
"model_slug": "google_gemini-2.5-flash-lite",
"template_slug": "api_url_shortener"
},
"results": {
"control_endpoint_tests": [],
"functional_requirements": [
{
"confidence": "HIGH",
"evidence": {},
"explanation": "The code does not fully meet the specific requirement of generating a 6-character random code for URL shortening. While the `generate_short_code()` function in the backend does create a 6-character random code using letters and digits, the frontend code appears to be using a different API endpoint (`/api/urls`) that does not match the specified `/api/shorten` endpoint. The frontend code suggests a different implementation than what was described in the requirement. Additionally, the frontend code seems to be incomplete (truncated), making a full analysis challenging, but based on the visible code, the specific requirement is not met as written.\n\nKey discrepancies:\n1. Frontend uses `/api/urls` instead of `/api/shorten`\n2. The backend route exists for `/api/shorten`, but the frontend does not match this route\n3. The 6-character code generation is present, but the overall API implementation differs from the requirement",
"met": false,
"requirement": "1. POST /api/shorten - accept long URL, generate 6-character random code"
},
{
"confidence": "HIGH",
"evidence": {},
"explanation": "While the Url model in the backend (backend/app.py) closely matches the requirement, the specific implementation does not fully align with the stated requirement. The model includes all the specified fields (id, original_url, short_code, created_at, click_count), but there are discrepancies in the implementation:\n\n1. The code lacks an explicit API endpoint to retrieve or list URLs, which would typically be expected with this model.\n2. The frontend code (App.jsx) references `/api/urls` endpoints that do not exist in the backend code.\n3. The model is correctly defined with the specified fields, but the surrounding infrastructure to fully utilize these fields is incomplete.\n\nThe core model meets the technical specification, but the overall application implementation does not fully support the expected functionality for managing and tracking URL entries as implied by the model\u0027s structure.",
"met": false,
"requirement": "2. URL model: id, original_url, short_code (unique), created_at, click_count"
},
{
"confidence": "HIGH",
"evidence": {},
"explanation": "The requirement \"3. GET /:code - lookup and redirect to original URL, increment counter\" is fully implemented in the `redirect_to_url()` function in the backend/app.py file. \n\nSpecifically, the function:\n1. Looks up the URL entry by the short code using `Url.query.filter_by(short_code=code).first()`\n2. Increments the click count with `url_entry.click_count += 1`\n3. Commits the database change with `db.session.commit()`\n4. Redirects to the original URL using `redirect(url_entry.original_url, code=302)`\n5. Handles cases where the short code is not found by returning a 404 error\n6. Includes error handling and logging\n\nThe implementation matches all aspects of the requirement, including lookup, redirection, and click count increment, with robust error handling.",
"met": true,
"requirement": "3. GET /:code - lookup and redirect to original URL, increment counter"
},
{
"confidence": "HIGH",
"evidence": {},
"explanation": "The URL validation is implemented in the backend\u0027s `is_valid_url()` function within the `backend/app.py` file. This function uses `urlparse()` to check two key aspects of a valid URL:\n1. It checks for the presence of a scheme (e.g., http, https)\n2. It checks for the presence of a network location (domain)\n\nAdditionally, in the frontend (`App.jsx`), there\u0027s a complementary `isValidUrl()` method that uses the `URL()` constructor to validate URLs before submission.\n\nIn the `/api/shorten` route, there\u0027s an explicit validation check:\n```python\nif not is_valid_url(long_url):\n logger.warning(f\"POST /api/shorten: Invalid URL format: {long_url}\")\n return jsonify({\u0027error\u0027: \u0027Invalid URL format\u0027}), 400\n```\n\nThis ensures that only valid URLs are processed for shortening, directly meeting the requirement of validating URL format before shortening.",
"met": true,
"requirement": "4. Validate URL format before shortening"
}
],
"summary": {
"compliance_percentage": 50.0,
"control_endpoints_passed": 0,
"functional_requirements_met": 2,
"total_control_endpoints": 0,
"total_functional_requirements": 4
}
},
"status": "success",
"tool_name": "requirements-checker"
},
"service": "ai-analyzer",
"status": "success",
"timestamp": "2025-11-16T13:20:11.515965",
"type": "ai_analysis_result"
},
"dynamic": {
"analysis": {
"analysis_time": "2025-11-16T13:19:11.417056",
"app_number": 1,
"model_slug": "google_gemini-2.5-flash-lite",
"results": {
"connectivity": [
{
"analysis": {
"curl_exit_code": 0,
"reachable": true,
"security_headers": {
"content-security-policy": false,
"strict-transport-security": false,
"x-content-type-options": false,
"x-frame-options": false,
"x-xss-protection": false
},
"security_score": 0,
"status_code": 404,
"status_line": "HTTP/1.1 404 NOT FOUND",
"total_security_headers": 5,
"url": "http://host.docker.internal:5009"
},
"status": "success"
},
{
"analysis": {
"curl_exit_code": 0,
"reachable": true,
"security_headers": {
"content-security-policy": false,
"strict-transport-security": false,
"x-content-type-options": false,
"x-frame-options": false,
"x-xss-protection": false
},
"security_score": 0,
"status_code": 200,
"status_line": "HTTP/1.1 200 OK",
"total_security_headers": 5,
"url": "http://host.docker.internal:8009"
},
"status": "success"
}
],
"port_scan": {
"host": "host.docker.internal",
"open_ports": [
5000,
5009,
8009
],
"scanned_ports": [
8000,
5000,
8009,
80,
5009,
8080,
3000,
443
],
"status": "success",
"total_open": 3
},
"tool_runs": {
"curl": {
"commands": [],
"executed": true,
"status": "success",
"tool": "curl",
"total_issues": 1
},
"nmap": {
"commands": [],
"executed": true,
"status": "success",
"tool": "nmap",
"total_issues": 0
},
"zap": {
"commands": [],
"executed": true,
"status": "success",
"tool": "zap",
"total_issues": 37
}
},
"vulnerability_scan": [
{
"status": "success",
"total_vulnerabilities": 0,
"url": "http://host.docker.internal:5009",
"vulnerabilities": []
},
{
"status": "success",
"total_vulnerabilities": 1,
"url": "http://host.docker.internal:8009",
"vulnerabilities": [
{
"description": "Potentially sensitive paths are accessible",
"paths": [
{
"path": "/admin",
"status": "HTTP/1.1 200 OK",
"url": "http://host.docker.internal:8009/admin"
},
{
"path": "/login",
"status": "HTTP/1.1 200 OK",
"url": "http://host.docker.internal:8009/login"
},
{
"path": "/wp-admin",
"status": "HTTP/1.1 200 OK",
"url": "http://host.docker.internal:8009/wp-admin"
},
{
"path": "/phpmyadmin",
"status": "HTTP/1.1 200 OK",
"url": "http://host.docker.internal:8009/phpmyadmin"
},
{
"path": "/.git",
"status": "HTTP/1.1 200 OK",
"url": "http://host.docker.internal:8009/.git"
},
{
"path": "/.env",
"status": "HTTP/1.1 200 OK",
"url": "http://host.docker.internal:8009/.env"
},
{
"path": "/config",
"status": "HTTP/1.1 200 OK",
"url": "http://host.docker.internal:8009/config"
},
{
"path": "/backup",
"status": "HTTP/1.1 200 OK",
"url": "http://host.docker.internal:8009/backup"
}
],
"severity": "medium",
"type": "exposed_paths"
}
]
}
],
"zap_security_scan": [
{
"alerts_by_risk": {
"High": [],
"Informational": [],
"Low": [
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "Werkzeug/3.0.1 Python/3.11.14",
"id": "1",
"inputVector": "",
"messageId": "1",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:5009/",
"wascid": "13"
},
{
"alert": "ZAP is Out of Date",
"alertRef": "10116",
"attack": "",
"confidence": "High",
"cweid": "1104",
"description": "The version of ZAP you are using to test your app is out of date and is no longer being updated.\nThe risk level is set based on how out of date your ZAP version is.",
"evidence": "",
"id": "2",
"inputVector": "",
"messageId": "1",
"method": "GET",
"name": "ZAP is Out of Date",
"other": "The latest version of ZAP is 2.16.1",
"param": "",
"pluginId": "10116",
"reference": "https://www.zaproxy.org/download/",
"risk": "Low",
"solution": "Download the latest version of ZAP from https://www.zaproxy.org/download/ and install it.",
"sourceid": "3",
"tags": {
"CWE-1104": "https://cwe.mitre.org/data/definitions/1104.html"
},
"url": "http://host.docker.internal:5009/",
"wascid": "45"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "Werkzeug/3.0.1 Python/3.11.14",
"id": "4",
"inputVector": "",
"messageId": "7",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:5009/sitemap.xml",
"wascid": "13"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "Werkzeug/3.0.1 Python/3.11.14",
"id": "6",
"inputVector": "",
"messageId": "8",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:5009/robots.txt",
"wascid": "13"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "Werkzeug/3.0.1 Python/3.11.14",
"id": "8",
"inputVector": "",
"messageId": "9",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:5009",
"wascid": "13"
}
],
"Medium": [
{
"alert": "Cross-Domain Misconfiguration",
"alertRef": "10098",
"attack": "",
"confidence": "Medium",
"cweid": "264",
"description": "Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.",
"evidence": "Access-Control-Allow-Origin: *",
"id": "0",
"inputVector": "",
"messageId": "1",
"method": "GET",
"name": "Cross-Domain Misconfiguration",
"other": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.",
"param": "",
"pluginId": "10098",
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "Medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"sourceid": "3",
"tags": {
"CWE-264": "https://cwe.mitre.org/data/definitions/264.html",
"OWASP_2017_A05": "https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
},
"url": "http://host.docker.internal:5009/",
"wascid": "14"
},
{
"alert": "Cross-Domain Misconfiguration",
"alertRef": "10098",
"attack": "",
"confidence": "Medium",
"cweid": "264",
"description": "Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.",
"evidence": "Access-Control-Allow-Origin: *",
"id": "3",
"inputVector": "",
"messageId": "7",
"method": "GET",
"name": "Cross-Domain Misconfiguration",
"other": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.",
"param": "",
"pluginId": "10098",
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "Medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"sourceid": "3",
"tags": {
"CWE-264": "https://cwe.mitre.org/data/definitions/264.html",
"OWASP_2017_A05": "https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
},
"url": "http://host.docker.internal:5009/sitemap.xml",
"wascid": "14"
},
{
"alert": "Cross-Domain Misconfiguration",
"alertRef": "10098",
"attack": "",
"confidence": "Medium",
"cweid": "264",
"description": "Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.",
"evidence": "Access-Control-Allow-Origin: *",
"id": "5",
"inputVector": "",
"messageId": "8",
"method": "GET",
"name": "Cross-Domain Misconfiguration",
"other": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.",
"param": "",
"pluginId": "10098",
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "Medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"sourceid": "3",
"tags": {
"CWE-264": "https://cwe.mitre.org/data/definitions/264.html",
"OWASP_2017_A05": "https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
},
"url": "http://host.docker.internal:5009/robots.txt",
"wascid": "14"
},
{
"alert": "Cross-Domain Misconfiguration",
"alertRef": "10098",
"attack": "",
"confidence": "Medium",
"cweid": "264",
"description": "Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.",
"evidence": "Access-Control-Allow-Origin: *",
"id": "7",
"inputVector": "",
"messageId": "9",
"method": "GET",
"name": "Cross-Domain Misconfiguration",
"other": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.",
"param": "",
"pluginId": "10098",
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "Medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"sourceid": "3",
"tags": {
"CWE-264": "https://cwe.mitre.org/data/definitions/264.html",
"OWASP_2017_A05": "https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
},
"url": "http://host.docker.internal:5009",
"wascid": "14"
}
]
},
"all_alerts": [
{
"alert": "Cross-Domain Misconfiguration",
"alertRef": "10098",
"attack": "",
"confidence": "Medium",
"cweid": "264",
"description": "Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.",
"evidence": "Access-Control-Allow-Origin: *",
"id": "0",
"inputVector": "",
"messageId": "1",
"method": "GET",
"name": "Cross-Domain Misconfiguration",
"other": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.",
"param": "",
"pluginId": "10098",
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "Medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"sourceid": "3",
"tags": {
"CWE-264": "https://cwe.mitre.org/data/definitions/264.html",
"OWASP_2017_A05": "https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
},
"url": "http://host.docker.internal:5009/",
"wascid": "14"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "Werkzeug/3.0.1 Python/3.11.14",
"id": "1",
"inputVector": "",
"messageId": "1",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:5009/",
"wascid": "13"
},
{
"alert": "ZAP is Out of Date",
"alertRef": "10116",
"attack": "",
"confidence": "High",
"cweid": "1104",
"description": "The version of ZAP you are using to test your app is out of date and is no longer being updated.\nThe risk level is set based on how out of date your ZAP version is.",
"evidence": "",
"id": "2",
"inputVector": "",
"messageId": "1",
"method": "GET",
"name": "ZAP is Out of Date",
"other": "The latest version of ZAP is 2.16.1",
"param": "",
"pluginId": "10116",
"reference": "https://www.zaproxy.org/download/",
"risk": "Low",
"solution": "Download the latest version of ZAP from https://www.zaproxy.org/download/ and install it.",
"sourceid": "3",
"tags": {
"CWE-1104": "https://cwe.mitre.org/data/definitions/1104.html"
},
"url": "http://host.docker.internal:5009/",
"wascid": "45"
},
{
"alert": "Cross-Domain Misconfiguration",
"alertRef": "10098",
"attack": "",
"confidence": "Medium",
"cweid": "264",
"description": "Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.",
"evidence": "Access-Control-Allow-Origin: *",
"id": "3",
"inputVector": "",
"messageId": "7",
"method": "GET",
"name": "Cross-Domain Misconfiguration",
"other": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.",
"param": "",
"pluginId": "10098",
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "Medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"sourceid": "3",
"tags": {
"CWE-264": "https://cwe.mitre.org/data/definitions/264.html",
"OWASP_2017_A05": "https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
},
"url": "http://host.docker.internal:5009/sitemap.xml",
"wascid": "14"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "Werkzeug/3.0.1 Python/3.11.14",
"id": "4",
"inputVector": "",
"messageId": "7",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:5009/sitemap.xml",
"wascid": "13"
},
{
"alert": "Cross-Domain Misconfiguration",
"alertRef": "10098",
"attack": "",
"confidence": "Medium",
"cweid": "264",
"description": "Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.",
"evidence": "Access-Control-Allow-Origin: *",
"id": "5",
"inputVector": "",
"messageId": "8",
"method": "GET",
"name": "Cross-Domain Misconfiguration",
"other": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.",
"param": "",
"pluginId": "10098",
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "Medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"sourceid": "3",
"tags": {
"CWE-264": "https://cwe.mitre.org/data/definitions/264.html",
"OWASP_2017_A05": "https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
},
"url": "http://host.docker.internal:5009/robots.txt",
"wascid": "14"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "Werkzeug/3.0.1 Python/3.11.14",
"id": "6",
"inputVector": "",
"messageId": "8",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:5009/robots.txt",
"wascid": "13"
},
{
"alert": "Cross-Domain Misconfiguration",
"alertRef": "10098",
"attack": "",
"confidence": "Medium",
"cweid": "264",
"description": "Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.",
"evidence": "Access-Control-Allow-Origin: *",
"id": "7",
"inputVector": "",
"messageId": "9",
"method": "GET",
"name": "Cross-Domain Misconfiguration",
"other": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.",
"param": "",
"pluginId": "10098",
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "Medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"sourceid": "3",
"tags": {
"CWE-264": "https://cwe.mitre.org/data/definitions/264.html",
"OWASP_2017_A05": "https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
},
"url": "http://host.docker.internal:5009",
"wascid": "14"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "Werkzeug/3.0.1 Python/3.11.14",
"id": "8",
"inputVector": "",
"messageId": "9",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:5009",
"wascid": "13"
}
],
"scan_type": "baseline",
"status": "success",
"total_alerts": 9,
"url": "http://host.docker.internal:5009"
},
{
"alerts_by_risk": {
"High": [],
"Informational": [
{
"alert": "Modern Web Application",
"alertRef": "10109",
"attack": "",
"confidence": "Medium",
"cweid": "-1",
"description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.",
"evidence": "\u003cscript type=\"module\" crossorigin src=\"/assets/index-BX7x1nO0.js\"\u003e\u003c/script\u003e",
"id": "13",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "Modern Web Application",
"other": "No links have been found while there are scripts, which is an indication that this is a modern web application.",
"param": "",
"pluginId": "10109",
"reference": "",
"risk": "Informational",
"solution": "This is an informational alert and so no changes are required.",
"sourceid": "3",
"tags": {},
"url": "http://host.docker.internal:8009/",
"wascid": "-1"
},
{
"alert": "Modern Web Application",
"alertRef": "10109",
"attack": "",
"confidence": "Medium",
"cweid": "-1",
"description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.",
"evidence": "\u003cscript type=\"module\" crossorigin src=\"/assets/index-BX7x1nO0.js\"\u003e\u003c/script\u003e",
"id": "18",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "Modern Web Application",
"other": "No links have been found while there are scripts, which is an indication that this is a modern web application.",
"param": "",
"pluginId": "10109",
"reference": "",
"risk": "Informational",
"solution": "This is an informational alert and so no changes are required.",
"sourceid": "3",
"tags": {},
"url": "http://host.docker.internal:8009",
"wascid": "-1"
},
{
"alert": "Modern Web Application",
"alertRef": "10109",
"attack": "",
"confidence": "Medium",
"cweid": "-1",
"description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.",
"evidence": "\u003cscript type=\"module\" crossorigin src=\"/assets/index-BX7x1nO0.js\"\u003e\u003c/script\u003e",
"id": "23",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "Modern Web Application",
"other": "No links have been found while there are scripts, which is an indication that this is a modern web application.",
"param": "",
"pluginId": "10109",
"reference": "",
"risk": "Informational",
"solution": "This is an informational alert and so no changes are required.",
"sourceid": "3",
"tags": {},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "-1"
},
{
"alert": "Modern Web Application",
"alertRef": "10109",
"attack": "",
"confidence": "Medium",
"cweid": "-1",
"description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.",
"evidence": "\u003cscript type=\"module\" crossorigin src=\"/assets/index-BX7x1nO0.js\"\u003e\u003c/script\u003e",
"id": "28",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "Modern Web Application",
"other": "No links have been found while there are scripts, which is an indication that this is a modern web application.",
"param": "",
"pluginId": "10109",
"reference": "",
"risk": "Informational",
"solution": "This is an informational alert and so no changes are required.",
"sourceid": "3",
"tags": {},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "-1"
},
{
"alert": "Information Disclosure - Suspicious Comments",
"alertRef": "10027",
"attack": "",
"confidence": "Low",
"cweid": "200",
"description": "The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.",
"evidence": "user",
"id": "36",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "Information Disclosure - Suspicious Comments",
"other": "The following pattern was used: \\bUSER\\b and was detected 2 times, the first in the element starting with: \"`+o.stack}return{value:e,source:t,stack:l,digest:null}}function So(e,t,n){return{value:e,source:null,stack:n??null,digest:t??nul\", see evidence field for the suspicious comment/snippet.",
"param": "",
"pluginId": "10027",
"reference": "",
"risk": "Informational",
"solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A03": "https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
"WSTG-v42-INFO-05": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "13"
},
{
"alert": "Information Disclosure - Suspicious Comments",
"alertRef": "10027",
"attack": "",
"confidence": "Low",
"cweid": "200",
"description": "The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.",
"evidence": "select",
"id": "37",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "Information Disclosure - Suspicious Comments",
"other": "The following pattern was used: \\bSELECT\\b and was detected in the element starting with: \"`+l[i].replace(\" at new \",\" at \");return e.displayName\u0026\u0026s.includes(\"\u003canonymous\u003e\")\u0026\u0026(s=s.replace(\"\u003canonymous\u003e\",e.displayName)),s}\", see evidence field for the suspicious comment/snippet.",
"param": "",
"pluginId": "10027",
"reference": "",
"risk": "Informational",
"solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A03": "https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
"WSTG-v42-INFO-05": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "13"
},
{
"alert": "Information Disclosure - Suspicious Comments",
"alertRef": "10027",
"attack": "",
"confidence": "Low",
"cweid": "200",
"description": "The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.",
"evidence": "from",
"id": "38",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "Information Disclosure - Suspicious Comments",
"other": "The following pattern was used: \\bFROM\\b and was detected in the element starting with: \"`):\" \"+Ws(i[0]):\"as no adapter specified\";throw new O(\"There is no suitable adapter to dispatch the request \"+u,\"ERR_NOT_SUPPORT\", see evidence field for the suspicious comment/snippet.",
"param": "",
"pluginId": "10027",
"reference": "",
"risk": "Informational",
"solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A03": "https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
"WSTG-v42-INFO-05": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "13"
}
],
"Low": [
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "14",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "15",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/",
"wascid": "15"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "19",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "20",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009",
"wascid": "15"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "24",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "25",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "15"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "29",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "30",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "15"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "39",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "40",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "15"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "41",
"inputVector": "",
"messageId": "25",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/assets/index-TQl7X6OI.css",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "42",
"inputVector": "",
"messageId": "25",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/assets/index-TQl7X6OI.css",
"wascid": "15"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "78",
"inputVector": "",
"messageId": "47",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/assets",
"wascid": "13"
}
],
"Medium": [
{
"alert": "Missing Anti-clickjacking Header",
"alertRef": "10020-1",
"attack": "",
"confidence": "Medium",
"cweid": "1021",
"description": "The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options.",
"evidence": "",
"id": "11",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "Missing Anti-clickjacking Header",
"other": "",
"param": "x-frame-options",
"pluginId": "10020",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "Medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"sourceid": "3",
"tags": {
"CWE-1021": "https://cwe.mitre.org/data/definitions/1021.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-CLNT-09": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking"
},
"url": "http://host.docker.internal:8009/",
"wascid": "15"
},
{
"alert": "Content Security Policy (CSP) Header Not Set",
"alertRef": "10038-1",
"attack": "",
"confidence": "High",
"cweid": "693",
"description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.",
"evidence": "",
"id": "12",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "Content Security Policy (CSP) Header Not Set",
"other": "",
"param": "",
"pluginId": "10038",
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "Medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/",
"wascid": "15"
},
{
"alert": "Missing Anti-clickjacking Header",
"alertRef": "10020-1",
"attack": "",
"confidence": "Medium",
"cweid": "1021",
"description": "The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options.",
"evidence": "",
"id": "16",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "Missing Anti-clickjacking Header",
"other": "",
"param": "x-frame-options",
"pluginId": "10020",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "Medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"sourceid": "3",
"tags": {
"CWE-1021": "https://cwe.mitre.org/data/definitions/1021.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-CLNT-09": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking"
},
"url": "http://host.docker.internal:8009",
"wascid": "15"
},
{
"alert": "Content Security Policy (CSP) Header Not Set",
"alertRef": "10038-1",
"attack": "",
"confidence": "High",
"cweid": "693",
"description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.",
"evidence": "",
"id": "17",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "Content Security Policy (CSP) Header Not Set",
"other": "",
"param": "",
"pluginId": "10038",
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "Medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009",
"wascid": "15"
},
{
"alert": "Missing Anti-clickjacking Header",
"alertRef": "10020-1",
"attack": "",
"confidence": "Medium",
"cweid": "1021",
"description": "The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options.",
"evidence": "",
"id": "21",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "Missing Anti-clickjacking Header",
"other": "",
"param": "x-frame-options",
"pluginId": "10020",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "Medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"sourceid": "3",
"tags": {
"CWE-1021": "https://cwe.mitre.org/data/definitions/1021.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-CLNT-09": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking"
},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "15"
},
{
"alert": "Content Security Policy (CSP) Header Not Set",
"alertRef": "10038-1",
"attack": "",
"confidence": "High",
"cweid": "693",
"description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.",
"evidence": "",
"id": "22",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "Content Security Policy (CSP) Header Not Set",
"other": "",
"param": "",
"pluginId": "10038",
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "Medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "15"
},
{
"alert": "Missing Anti-clickjacking Header",
"alertRef": "10020-1",
"attack": "",
"confidence": "Medium",
"cweid": "1021",
"description": "The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options.",
"evidence": "",
"id": "26",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "Missing Anti-clickjacking Header",
"other": "",
"param": "x-frame-options",
"pluginId": "10020",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "Medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"sourceid": "3",
"tags": {
"CWE-1021": "https://cwe.mitre.org/data/definitions/1021.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-CLNT-09": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking"
},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "15"
},
{
"alert": "Content Security Policy (CSP) Header Not Set",
"alertRef": "10038-1",
"attack": "",
"confidence": "High",
"cweid": "693",
"description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.",
"evidence": "",
"id": "27",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "Content Security Policy (CSP) Header Not Set",
"other": "",
"param": "",
"pluginId": "10038",
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "Medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "15"
}
]
},
"all_alerts": [
{
"alert": "Missing Anti-clickjacking Header",
"alertRef": "10020-1",
"attack": "",
"confidence": "Medium",
"cweid": "1021",
"description": "The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options.",
"evidence": "",
"id": "11",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "Missing Anti-clickjacking Header",
"other": "",
"param": "x-frame-options",
"pluginId": "10020",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "Medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"sourceid": "3",
"tags": {
"CWE-1021": "https://cwe.mitre.org/data/definitions/1021.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-CLNT-09": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking"
},
"url": "http://host.docker.internal:8009/",
"wascid": "15"
},
{
"alert": "Content Security Policy (CSP) Header Not Set",
"alertRef": "10038-1",
"attack": "",
"confidence": "High",
"cweid": "693",
"description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.",
"evidence": "",
"id": "12",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "Content Security Policy (CSP) Header Not Set",
"other": "",
"param": "",
"pluginId": "10038",
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "Medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/",
"wascid": "15"
},
{
"alert": "Modern Web Application",
"alertRef": "10109",
"attack": "",
"confidence": "Medium",
"cweid": "-1",
"description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.",
"evidence": "\u003cscript type=\"module\" crossorigin src=\"/assets/index-BX7x1nO0.js\"\u003e\u003c/script\u003e",
"id": "13",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "Modern Web Application",
"other": "No links have been found while there are scripts, which is an indication that this is a modern web application.",
"param": "",
"pluginId": "10109",
"reference": "",
"risk": "Informational",
"solution": "This is an informational alert and so no changes are required.",
"sourceid": "3",
"tags": {},
"url": "http://host.docker.internal:8009/",
"wascid": "-1"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "14",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "15",
"inputVector": "",
"messageId": "11",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/",
"wascid": "15"
},
{
"alert": "Missing Anti-clickjacking Header",
"alertRef": "10020-1",
"attack": "",
"confidence": "Medium",
"cweid": "1021",
"description": "The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options.",
"evidence": "",
"id": "16",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "Missing Anti-clickjacking Header",
"other": "",
"param": "x-frame-options",
"pluginId": "10020",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "Medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"sourceid": "3",
"tags": {
"CWE-1021": "https://cwe.mitre.org/data/definitions/1021.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-CLNT-09": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking"
},
"url": "http://host.docker.internal:8009",
"wascid": "15"
},
{
"alert": "Content Security Policy (CSP) Header Not Set",
"alertRef": "10038-1",
"attack": "",
"confidence": "High",
"cweid": "693",
"description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.",
"evidence": "",
"id": "17",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "Content Security Policy (CSP) Header Not Set",
"other": "",
"param": "",
"pluginId": "10038",
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "Medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009",
"wascid": "15"
},
{
"alert": "Modern Web Application",
"alertRef": "10109",
"attack": "",
"confidence": "Medium",
"cweid": "-1",
"description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.",
"evidence": "\u003cscript type=\"module\" crossorigin src=\"/assets/index-BX7x1nO0.js\"\u003e\u003c/script\u003e",
"id": "18",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "Modern Web Application",
"other": "No links have been found while there are scripts, which is an indication that this is a modern web application.",
"param": "",
"pluginId": "10109",
"reference": "",
"risk": "Informational",
"solution": "This is an informational alert and so no changes are required.",
"sourceid": "3",
"tags": {},
"url": "http://host.docker.internal:8009",
"wascid": "-1"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "19",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "20",
"inputVector": "",
"messageId": "17",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009",
"wascid": "15"
},
{
"alert": "Missing Anti-clickjacking Header",
"alertRef": "10020-1",
"attack": "",
"confidence": "Medium",
"cweid": "1021",
"description": "The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options.",
"evidence": "",
"id": "21",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "Missing Anti-clickjacking Header",
"other": "",
"param": "x-frame-options",
"pluginId": "10020",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "Medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"sourceid": "3",
"tags": {
"CWE-1021": "https://cwe.mitre.org/data/definitions/1021.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-CLNT-09": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking"
},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "15"
},
{
"alert": "Content Security Policy (CSP) Header Not Set",
"alertRef": "10038-1",
"attack": "",
"confidence": "High",
"cweid": "693",
"description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.",
"evidence": "",
"id": "22",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "Content Security Policy (CSP) Header Not Set",
"other": "",
"param": "",
"pluginId": "10038",
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "Medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "15"
},
{
"alert": "Modern Web Application",
"alertRef": "10109",
"attack": "",
"confidence": "Medium",
"cweid": "-1",
"description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.",
"evidence": "\u003cscript type=\"module\" crossorigin src=\"/assets/index-BX7x1nO0.js\"\u003e\u003c/script\u003e",
"id": "23",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "Modern Web Application",
"other": "No links have been found while there are scripts, which is an indication that this is a modern web application.",
"param": "",
"pluginId": "10109",
"reference": "",
"risk": "Informational",
"solution": "This is an informational alert and so no changes are required.",
"sourceid": "3",
"tags": {},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "-1"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "24",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "25",
"inputVector": "",
"messageId": "18",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/sitemap.xml",
"wascid": "15"
},
{
"alert": "Missing Anti-clickjacking Header",
"alertRef": "10020-1",
"attack": "",
"confidence": "Medium",
"cweid": "1021",
"description": "The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options.",
"evidence": "",
"id": "26",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "Missing Anti-clickjacking Header",
"other": "",
"param": "x-frame-options",
"pluginId": "10020",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "Medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"sourceid": "3",
"tags": {
"CWE-1021": "https://cwe.mitre.org/data/definitions/1021.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-CLNT-09": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking"
},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "15"
},
{
"alert": "Content Security Policy (CSP) Header Not Set",
"alertRef": "10038-1",
"attack": "",
"confidence": "High",
"cweid": "693",
"description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.",
"evidence": "",
"id": "27",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "Content Security Policy (CSP) Header Not Set",
"other": "",
"param": "",
"pluginId": "10038",
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "Medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "15"
},
{
"alert": "Modern Web Application",
"alertRef": "10109",
"attack": "",
"confidence": "Medium",
"cweid": "-1",
"description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.",
"evidence": "\u003cscript type=\"module\" crossorigin src=\"/assets/index-BX7x1nO0.js\"\u003e\u003c/script\u003e",
"id": "28",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "Modern Web Application",
"other": "No links have been found while there are scripts, which is an indication that this is a modern web application.",
"param": "",
"pluginId": "10109",
"reference": "",
"risk": "Informational",
"solution": "This is an informational alert and so no changes are required.",
"sourceid": "3",
"tags": {},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "-1"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "29",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "30",
"inputVector": "",
"messageId": "20",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/robots.txt",
"wascid": "15"
},
{
"alert": "Information Disclosure - Suspicious Comments",
"alertRef": "10027",
"attack": "",
"confidence": "Low",
"cweid": "200",
"description": "The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.",
"evidence": "user",
"id": "36",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "Information Disclosure - Suspicious Comments",
"other": "The following pattern was used: \\bUSER\\b and was detected 2 times, the first in the element starting with: \"`+o.stack}return{value:e,source:t,stack:l,digest:null}}function So(e,t,n){return{value:e,source:null,stack:n??null,digest:t??nul\", see evidence field for the suspicious comment/snippet.",
"param": "",
"pluginId": "10027",
"reference": "",
"risk": "Informational",
"solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A03": "https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
"WSTG-v42-INFO-05": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "13"
},
{
"alert": "Information Disclosure - Suspicious Comments",
"alertRef": "10027",
"attack": "",
"confidence": "Low",
"cweid": "200",
"description": "The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.",
"evidence": "select",
"id": "37",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "Information Disclosure - Suspicious Comments",
"other": "The following pattern was used: \\bSELECT\\b and was detected in the element starting with: \"`+l[i].replace(\" at new \",\" at \");return e.displayName\u0026\u0026s.includes(\"\u003canonymous\u003e\")\u0026\u0026(s=s.replace(\"\u003canonymous\u003e\",e.displayName)),s}\", see evidence field for the suspicious comment/snippet.",
"param": "",
"pluginId": "10027",
"reference": "",
"risk": "Informational",
"solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A03": "https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
"WSTG-v42-INFO-05": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "13"
},
{
"alert": "Information Disclosure - Suspicious Comments",
"alertRef": "10027",
"attack": "",
"confidence": "Low",
"cweid": "200",
"description": "The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.",
"evidence": "from",
"id": "38",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "Information Disclosure - Suspicious Comments",
"other": "The following pattern was used: \\bFROM\\b and was detected in the element starting with: \"`):\" \"+Ws(i[0]):\"as no adapter specified\";throw new O(\"There is no suitable adapter to dispatch the request \"+u,\"ERR_NOT_SUPPORT\", see evidence field for the suspicious comment/snippet.",
"param": "",
"pluginId": "10027",
"reference": "",
"risk": "Informational",
"solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A03": "https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html",
"OWASP_2021_A01": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
"WSTG-v42-INFO-05": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "13"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "39",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "40",
"inputVector": "",
"messageId": "23",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/assets/index-BX7x1nO0.js",
"wascid": "15"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "41",
"inputVector": "",
"messageId": "25",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/assets/index-TQl7X6OI.css",
"wascid": "13"
},
{
"alert": "X-Content-Type-Options Header Missing",
"alertRef": "10021",
"attack": "",
"confidence": "Medium",
"cweid": "693",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"evidence": "",
"id": "42",
"inputVector": "",
"messageId": "25",
"method": "GET",
"name": "X-Content-Type-Options Header Missing",
"other": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.",
"param": "x-content-type-options",
"pluginId": "10021",
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "Low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"sourceid": "3",
"tags": {
"CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
},
"url": "http://host.docker.internal:8009/assets/index-TQl7X6OI.css",
"wascid": "15"
},
{
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"alertRef": "10036",
"attack": "",
"confidence": "High",
"cweid": "200",
"description": "The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.",
"evidence": "nginx/1.29.3",
"id": "78",
"inputVector": "",
"messageId": "47",
"method": "GET",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"other": "",
"param": "",
"pluginId": "10036",
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "Low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"sourceid": "3",
"tags": {
"CWE-200": "https://cwe.mitre.org/data/definitions/200.html",
"OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
"OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"WSTG-v42-INFO-02": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server"
},
"url": "http://host.docker.internal:8009/assets",
"wascid": "13"
}
],
"scan_type": "baseline",
"status": "success",
"total_alerts": 28,
"url": "http://host.docker.internal:8009"
}
]
},
"sarif_export": {
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"runs": [
{
"invocations": [
{
"endTimeUtc": "2025-11-16T13:19:44.984004+00:00",
"executionSuccessful": true
}
],
"results": [
{
"level": "warning",
"message": {
"text": "Cross-Domain Misconfiguration: Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-264"
],
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"wasc": 14
},
"ruleId": "Cross-Domain Misconfiguration"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
},
{
"level": "warning",
"message": {
"text": "ZAP is Out of Date: The version of ZAP you are using to test your app is out of date and is no longer being updated.\nThe risk level is set based on how out of date your ZAP version is."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-1104"
],
"reference": "https://www.zaproxy.org/download/",
"risk": "low",
"solution": "Download the latest version of ZAP from https://www.zaproxy.org/download/ and install it.",
"wasc": 45
},
"ruleId": "ZAP is Out of Date"
},
{
"level": "warning",
"message": {
"text": "Cross-Domain Misconfiguration: Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-264"
],
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"wasc": 14
},
"ruleId": "Cross-Domain Misconfiguration"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
},
{
"level": "warning",
"message": {
"text": "Cross-Domain Misconfiguration: Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-264"
],
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"wasc": 14
},
"ruleId": "Cross-Domain Misconfiguration"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
},
{
"level": "warning",
"message": {
"text": "Cross-Domain Misconfiguration: Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-264"
],
"reference": "https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy",
"risk": "medium",
"solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.",
"wasc": 14
},
"ruleId": "Cross-Domain Misconfiguration"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
}
],
"tool": {
"driver": {
"informationUri": "https://www.zaproxy.org/",
"name": "zap",
"version": "unknown"
}
}
},
{
"invocations": [
{
"endTimeUtc": "2025-11-16T13:19:44.984283+00:00",
"executionSuccessful": true
}
],
"results": [
{
"level": "warning",
"message": {
"text": "Missing Anti-clickjacking Header: The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-1021"
],
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"wasc": 15
},
"ruleId": "Missing Anti-clickjacking Header"
},
{
"level": "warning",
"message": {
"text": "Content Security Policy (CSP) Header Not Set: Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-693"
],
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"wasc": 15
},
"ruleId": "Content Security Policy (CSP) Header Not Set"
},
{
"level": "note",
"message": {
"text": "Modern Web Application: The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE--1"
],
"risk": "informational",
"solution": "This is an informational alert and so no changes are required.",
"wasc": -1
},
"ruleId": "Modern Web Application"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
},
{
"level": "warning",
"message": {
"text": "X-Content-Type-Options Header Missing: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-693"
],
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"wasc": 15
},
"ruleId": "X-Content-Type-Options Header Missing"
},
{
"level": "warning",
"message": {
"text": "Missing Anti-clickjacking Header: The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-1021"
],
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"wasc": 15
},
"ruleId": "Missing Anti-clickjacking Header"
},
{
"level": "warning",
"message": {
"text": "Content Security Policy (CSP) Header Not Set: Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-693"
],
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"wasc": 15
},
"ruleId": "Content Security Policy (CSP) Header Not Set"
},
{
"level": "note",
"message": {
"text": "Modern Web Application: The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE--1"
],
"risk": "informational",
"solution": "This is an informational alert and so no changes are required.",
"wasc": -1
},
"ruleId": "Modern Web Application"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
},
{
"level": "warning",
"message": {
"text": "X-Content-Type-Options Header Missing: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-693"
],
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"wasc": 15
},
"ruleId": "X-Content-Type-Options Header Missing"
},
{
"level": "warning",
"message": {
"text": "Missing Anti-clickjacking Header: The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-1021"
],
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"wasc": 15
},
"ruleId": "Missing Anti-clickjacking Header"
},
{
"level": "warning",
"message": {
"text": "Content Security Policy (CSP) Header Not Set: Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-693"
],
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"wasc": 15
},
"ruleId": "Content Security Policy (CSP) Header Not Set"
},
{
"level": "note",
"message": {
"text": "Modern Web Application: The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE--1"
],
"risk": "informational",
"solution": "This is an informational alert and so no changes are required.",
"wasc": -1
},
"ruleId": "Modern Web Application"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
},
{
"level": "warning",
"message": {
"text": "X-Content-Type-Options Header Missing: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-693"
],
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"wasc": 15
},
"ruleId": "X-Content-Type-Options Header Missing"
},
{
"level": "warning",
"message": {
"text": "Missing Anti-clickjacking Header: The response does not protect against \u0027ClickJacking\u0027 attacks. It should include either Content-Security-Policy with \u0027frame-ancestors\u0027 directive or X-Frame-Options."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-1021"
],
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"risk": "medium",
"solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.\nIf you expect the page to be framed only by pages on your server (e.g. it\u0027s part of a FRAMESET) then you\u0027ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy\u0027s \"frame-ancestors\" directive.",
"wasc": 15
},
"ruleId": "Missing Anti-clickjacking Header"
},
{
"level": "warning",
"message": {
"text": "Content Security Policy (CSP) Header Not Set: Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-693"
],
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
"risk": "medium",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
"wasc": 15
},
"ruleId": "Content Security Policy (CSP) Header Not Set"
},
{
"level": "note",
"message": {
"text": "Modern Web Application: The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE--1"
],
"risk": "informational",
"solution": "This is an informational alert and so no changes are required.",
"wasc": -1
},
"ruleId": "Modern Web Application"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
},
{
"level": "warning",
"message": {
"text": "X-Content-Type-Options Header Missing: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-693"
],
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"wasc": 15
},
"ruleId": "X-Content-Type-Options Header Missing"
},
{
"level": "note",
"message": {
"text": "Information Disclosure - Suspicious Comments: The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments."
},
"properties": {
"confidence": "low",
"cwe": [
"CWE-200"
],
"risk": "informational",
"solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"wasc": 13
},
"ruleId": "Information Disclosure - Suspicious Comments"
},
{
"level": "note",
"message": {
"text": "Information Disclosure - Suspicious Comments: The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments."
},
"properties": {
"confidence": "low",
"cwe": [
"CWE-200"
],
"risk": "informational",
"solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"wasc": 13
},
"ruleId": "Information Disclosure - Suspicious Comments"
},
{
"level": "note",
"message": {
"text": "Information Disclosure - Suspicious Comments: The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments."
},
"properties": {
"confidence": "low",
"cwe": [
"CWE-200"
],
"risk": "informational",
"solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"wasc": 13
},
"ruleId": "Information Disclosure - Suspicious Comments"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
},
{
"level": "warning",
"message": {
"text": "X-Content-Type-Options Header Missing: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-693"
],
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"wasc": 15
},
"ruleId": "X-Content-Type-Options Header Missing"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
},
{
"level": "warning",
"message": {
"text": "X-Content-Type-Options Header Missing: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \u0027nosniff\u0027. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing."
},
"properties": {
"confidence": "medium",
"cwe": [
"CWE-693"
],
"reference": "https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)\nhttps://owasp.org/www-community/Security_Headers",
"risk": "low",
"solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to \u0027nosniff\u0027 for all web pages.\nIf possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"wasc": 15
},
"ruleId": "X-Content-Type-Options Header Missing"
},
{
"level": "warning",
"message": {
"text": "Server Leaks Version Information via \"Server\" HTTP Response Header Field: The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."
},
"properties": {
"confidence": "high",
"cwe": [
"CWE-200"
],
"reference": "https://httpd.apache.org/docs/current/mod/core.html#servertokens\nhttps://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)\nhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/",
"risk": "low",
"solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.",
"wasc": 13
},
"ruleId": "Server Leaks Version Information via \"Server\" HTTP Response Header Field"
}
],
"tool": {
"driver": {
"informationUri": "https://www.zaproxy.org/",
"name": "zap",
"version": "unknown"
}
}
}
],
"version": "2.1.0"
},
"summary": {
"analysis_status": "completed",
"reachable_urls": 2,
"total_urls_tested": 2,
"vulnerabilities_found": 1
},
"target_urls": [
"http://host.docker.internal:5009",
"http://host.docker.internal:8009"
],
"tool_results": {
"curl": {
"executed": true,
"status": "success",
"tool": "curl",
"total_issues": 1
},
"nmap": {
"executed": true,
"status": "success",
"tool": "nmap",
"total_issues": 0
},
"zap": {
"executed": true,
"status": "success",
"tool": "zap",
"total_issues": 37
}
},
"tools_used": [
"nmap",
"zap",
"curl"
]
},
"service": "dynamic-analyzer",
"status": "success",
"timestamp": "2025-11-16T13:19:45.081843",
"type": "dynamic_analysis_result"
},
"performance": {
"analysis": {
"analysis_time": "2025-11-16T13:15:43.406182",
"app_number": 1,
"model_slug": "google_gemini-2.5-flash-lite",
"results": {
"http://host.docker.internal:5009": {
"ab": {
"avg_response_time": 4.344,
"completed_requests": 20,
"configuration": {
"concurrency": 5,
"requests": 20
},
"executed": true,
"failed_requests": 0,
"raw": {
"command": [
"ab",
"-n",
"20",
"-c",
"5",
"-g",
"ab_results.tsv",
"http://host.docker.internal:5009/"
],
"duration": 0.0994715690612793,
"exit_code": 0,
"stderr": "",
"stdout": "This is ApacheBench, Version 2.3 \u003c$Revision: 1923142 $\u003e\nCopyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/\nLicensed to The Apache Software Foundation, http://www.apache.org/\n\nBenchmarking host.docker.internal (be patient).....done\n\n\nServer Software: Werkzeug/3.0.1\nServer Hostname: host.docker.internal\nServer Port: 5009\n\nDocument Path: /\nDocument Length: 31 bytes\n\nConcurrency Level: 5\nTime taken for tests: 0.087 seconds\nComplete requests: 20\nFailed requests: 0\nNon-2xx responses: 20\nTotal transferred: 4720 bytes\nHTML transferred: 620 bytes\nRequests per second: 230.20 [#/sec] (mean)\nTime per request: 21.720 [ms] (mean)\nTime per request: 4.344 [ms] (mean, across all concurrent requests)\nTransfer rate: 53.05 [Kbytes/sec] received\n\nConnection Times (ms)\n min mean[+/-sd] median max\nConnect: 2 3 0.6 2 4\nProcessing: 14 17 1.7 17 20\nWaiting: 3 5 1.4 5 8\nTotal: 16 19 1.7 19 22\nWARNING: The median and mean for the initial connection time are not within a normal deviation\n These results are probably not that reliable.\n\nPercentage of the requests served within a certain time (ms)\n 50% 19\n 66% 21\n 75% 21\n 80% 21\n 90% 22\n 95% 22\n 98% 22\n 99% 22\n 100% 22 (longest request)\n"
},
"requests_per_second": 230.2,
"status": "success",
"tool": "ab",
"total_issues": 0,
"url": "http://host.docker.internal:5009/"
},
"aiohttp": {
"avg_response_time": 14.9841,
"configuration": {
"concurrency": 3,
"requests": 20
},
"executed": true,
"failed_requests": 0,
"max_response_time": 29.155,
"median_response_time": 14.918,
"min_response_time": 7.622,
"raw": {
"duration": 0.10457968711853027,
"errors": [],
"requests_attempted": 20
},
"requests": 20,
"status": "success",
"success_rate": 100.0,
"successful_requests": 20,
"tool": "aiohttp",
"total_issues": 0,
"url": "http://host.docker.internal:5009"
},
"artillery": {
"avg_response_time": 0.0,
"codes": {
"2xx": 0,
"3xx": 0,
"4xx": 150,
"5xx": 0
},
"configuration": {
"arrival_rate": 5,
"duration": 30
},
"errors": 0,
"executed": true,
"max_response_time": 0.0,
"min_response_time": 0.0,
"p50_response_time": 0.0,
"p95_response_time": 0.0,
"p99_response_time": 0.0,
"raw": {
"command": [
"artillery",
"run",
"--output",
"/tmp/performance_tests/artillery_report.json",
"/tmp/performance_tests/artillery_config.yml"
],
"duration": 45.82046842575073,
"exit_code": 0,
"stderr": "",
"stdout": "Test run id: tek6y_9ccx8mjeecw4yyykpnke9bmapfdxy_qwhq\nPhase started: Load test (index: 0, duration: 30s) 13:16:57(+0000)\n\n--------------------------------------\nMetrics for period to: 13:17:00(+0000) (width: 1.327s)\n--------------------------------------\n\nhttp.codes.404: ................................................................ 10\nhttp.downloaded_bytes: ......................................................... 310\nhttp.request_rate: ............................................................. 10/sec\nhttp.requests: ................................................................. 10\nhttp.response_time:\n min: ......................................................................... 3\n max: ......................................................................... 14\n mean: ........................................................................ 5.9\n median: ...................................................................... 5\n p95: ......................................................................... 7\n p99: ......................................................................... 7\nhttp.response_time.4xx:\n min: ......................................................................... 3\n max: ......................................................................... 14\n mean: ........................................................................ 5.9\n median: ...................................................................... 5\n p95: ......................................................................... 7\n p99: ......................................................................... 7\nhttp.responses: ................................................................ 10\nvusers.completed: .............................................................. 10\nvusers.created: ................................................................ 10\nvusers.created_by_name.Simple load test: ....................................... 10\nvusers.failed: ................................................................. 0\nvusers.session_length:\n min: ......................................................................... 14.4\n max: ......................................................................... 119.8\n mean: ........................................................................ 53.9\n median: ...................................................................... 38.5\n p95: ......................................................................... 120.3\n p99: ......................................................................... 120.3\n\n\n--------------------------------------\nMetrics for period to: 13:17:10(+0000) (width: 9.237s)\n--------------------------------------\n\nhttp.codes.404: ................................................................ 50\nhttp.downloaded_bytes: ......................................................... 1550\nhttp.request_rate: ............................................................. 5/sec\nhttp.requests: ................................................................. 50\nhttp.response_time:\n min: ......................................................................... 3\n max: ......................................................................... 18\n mean: ........................................................................ 6.2\n median: ...................................................................... 5\n p95: ......................................................................... 10.9\n p99: ......................................................................... 16\nhttp.response_time.4xx:\n min: ......................................................................... 3\n max: ......................................................................... 18\n mean: ........................................................................ 6.2\n median: ...................................................................... 5\n p95: ......................................................................... 10.9\n p99: ......................................................................... 16\nhttp.responses: ................................................................ 50\nvusers.completed: .............................................................. 50\nvusers.created: ................................................................ 50\nvusers.created_by_name.Simple load test: ....................................... 50\nvusers.failed: ................................................................. 0\nvusers.session_length:\n min: ......................................................................... 12.4\n max: ......................................................................... 42.4\n mean: ........................................................................ 20.1\n median: ...................................................................... 18.4\n p95: ......................................................................... 32.1\n p99: ......................................................................... 38.5\n\n\n--------------------------------------\nMetrics for period to: 13:17:20(+0000) (width: 9.246s)\n--------------------------------------\n\nhttp.codes.404: ................................................................ 50\nhttp.downloaded_bytes: ......................................................... 1550\nhttp.request_rate: ............................................................. 5/sec\nhttp.requests: ................................................................. 50\nhttp.response_time:\n min: ......................................................................... 3\n max: ......................................................................... 74\n mean: ........................................................................ 6.8\n median: ...................................................................... 5\n p95: ......................................................................... 10.9\n p99: ......................................................................... 16\nhttp.response_time.4xx:\n min: ......................................................................... 3\n max: ......................................................................... 74\n mean: ........................................................................ 6.8\n median: ...................................................................... 5\n p95: ......................................................................... 10.9\n p99: ......................................................................... 16\nhttp.responses: ................................................................ 50\nvusers.completed: .............................................................. 50\nvusers.created: ................................................................ 50\nvusers.created_by_name.Simple load test: ....................................... 50\nvusers.failed: ................................................................. 0\nvusers.session_length:\n min: ......................................................................... 11.5\n max: ......................................................................... 171.5\n mean: ........................................................................ 31.8\n median: ...................................................................... 15.3\n p95: ......................................................................... 115.6\n p99: ......................................................................... 127.8\n\n\nPhase completed: Load test (index: 0, duration: 30s) 13:17:27(+0000)\n\n--------------------------------------\nMetrics for period to: 13:17:30(+0000) (width: 7.329s)\n--------------------------------------\n\nhttp.codes.404: ................................................................ 40\nhttp.downloaded_bytes: ......................................................... 1240\nhttp.request_rate: ...................."
},
"requests": 150,
"requests_per_second": 5,
"responses": 150,
"status": "success",
"tool": "artillery",
"total_issues": 0,
"url": "http://host.docker.internal:5009"
},
"connectivity": {
"message": "Successfully connected to http://host.docker.internal:5009",
"original_url": "http://host.docker.internal:5009",
"status": "success",
"working_url": "http://host.docker.internal:5009"
},
"locust": {
"error": "Test timed out",
"executed": true,
"status": "timeout",
"tool": "locust",
"url": "http://host.docker.internal:5009"
}
},
"http://host.docker.internal:8009": {
"ab": {
"avg_response_time": 3.2,
"completed_requests": 20,
"configuration": {
"concurrency": 5,
"requests": 20
},
"executed": true,
"failed_requests": 0,
"raw": {
"command": [
"ab",
"-n",
"20",
"-c",
"5",
"-g",
"ab_results.tsv",
"http://host.docker.internal:8009/"
],
"duration": 0.07644104957580566,
"exit_code": 0,
"stderr": "",
"stdout": "This is ApacheBench, Version 2.3 \u003c$Revision: 1923142 $\u003e\nCopyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/\nLicensed to The Apache Software Foundation, http://www.apache.org/\n\nBenchmarking host.docker.internal (be patient).....done\n\n\nServer Software: nginx/1.29.3\nServer Hostname: host.docker.internal\nServer Port: 8009\n\nDocument Path: /\nDocument Length: 406 bytes\n\nConcurrency Level: 5\nTime taken for tests: 0.064 seconds\nComplete requests: 20\nFailed requests: 0\nTotal transferred: 15140 bytes\nHTML transferred: 8120 bytes\nRequests per second: 312.51 [#/sec] (mean)\nTime per request: 16.000 [ms] (mean)\nTime per request: 3.200 [ms] (mean, across all concurrent requests)\nTransfer rate: 231.03 [Kbytes/sec] received\n\nConnection Times (ms)\n min mean[+/-sd] median max\nConnect: 2 6 4.5 5 19\nProcessing: 3 8 6.6 6 23\nWaiting: 2 8 6.2 5 22\nTotal: 6 14 7.8 13 31\n\nPercentage of the requests served within a certain time (ms)\n 50% 13\n 66% 14\n 75% 22\n 80% 24\n 90% 29\n 95% 31\n 98% 31\n 99% 31\n 100% 31 (longest request)\n"
},
"requests_per_second": 312.51,
"status": "success",
"tool": "ab",
"total_issues": 0,
"url": "http://host.docker.internal:8009/"
},
"aiohttp": {
"avg_response_time": 4.4738,
"configuration": {
"concurrency": 3,
"requests": 20
},
"executed": true,
"failed_requests": 0,
"max_response_time": 13.024000000000001,
"median_response_time": 3.2969999999999997,
"min_response_time": 2.054,
"raw": {
"duration": 0.033414602279663086,
"errors": [],
"requests_attempted": 20
},
"requests": 20,
"status": "success",
"success_rate": 100.0,
"successful_requests": 20,
"tool": "aiohttp",
"total_issues": 0,
"url": "http://host.docker.internal:8009"
},
"artillery": {
"avg_response_time": 0.0,
"codes": {
"2xx": 150,
"3xx": 0,
"4xx": 0,
"5xx": 0
},
"configuration": {
"arrival_rate": 5,
"duration": 30
},
"errors": 0,
"executed": true,
"max_response_time": 0.0,
"min_response_time": 0.0,
"p50_response_time": 0.0,
"p95_response_time": 0.0,
"p99_response_time": 0.0,
"raw": {
"command": [
"artillery",
"run",
"--output",
"/tmp/performance_tests/artillery_report.json",
"/tmp/performance_tests/artillery_config.yml"
],
"duration": 41.24952745437622,
"exit_code": 0,
"stderr": "",
"stdout": "Test run id: tnqja_hq3k9f3xwkfd5kfmw5j4539nechmh_byhb\nPhase started: Load test (index: 0, duration: 30s) 13:18:39(+0000)\n\n--------------------------------------\nMetrics for period to: 13:18:50(+0000) (width: 9.211s)\n--------------------------------------\n\nhttp.codes.200: ................................................................ 50\nhttp.downloaded_bytes: ......................................................... 20300\nhttp.request_rate: ............................................................. 5/sec\nhttp.requests: ................................................................. 50\nhttp.response_time:\n min: ......................................................................... 1\n max: ......................................................................... 61\n mean: ........................................................................ 4.4\n median: ...................................................................... 3\n p95: ......................................................................... 7\n p99: ......................................................................... 7.9\nhttp.response_time.2xx:\n min: ......................................................................... 1\n max: ......................................................................... 61\n mean: ........................................................................ 4.4\n median: ...................................................................... 3\n p95: ......................................................................... 7\n p99: ......................................................................... 7.9\nhttp.responses: ................................................................ 50\nvusers.completed: .............................................................. 50\nvusers.created: ................................................................ 50\nvusers.created_by_name.Simple load test: ....................................... 50\nvusers.failed: ................................................................. 0\nvusers.session_length:\n min: ......................................................................... 7.6\n max: ......................................................................... 190.6\n mean: ........................................................................ 24.8\n median: ...................................................................... 12.8\n p95: ......................................................................... 100.5\n p99: ......................................................................... 122.7\n\n\n--------------------------------------\nMetrics for period to: 13:19:00(+0000) (width: 9.326s)\n--------------------------------------\n\nhttp.codes.200: ................................................................ 50\nhttp.downloaded_bytes: ......................................................... 20300\nhttp.request_rate: ............................................................. 5/sec\nhttp.requests: ................................................................. 50\nhttp.response_time:\n min: ......................................................................... 1\n max: ......................................................................... 17\n mean: ........................................................................ 3\n median: ...................................................................... 2\n p95: ......................................................................... 4\n p99: ......................................................................... 8.9\nhttp.response_time.2xx:\n min: ......................................................................... 1\n max: ......................................................................... 17\n mean: ........................................................................ 3\n median: ...................................................................... 2\n p95: ......................................................................... 4\n p99: ......................................................................... 8.9\nhttp.responses: ................................................................ 50\nvusers.completed: .............................................................. 50\nvusers.created: ................................................................ 50\nvusers.created_by_name.Simple load test: ....................................... 50\nvusers.failed: ................................................................. 0\nvusers.session_length:\n min: ......................................................................... 9.1\n max: ......................................................................... 62.4\n mean: ........................................................................ 13.9\n median: ...................................................................... 12.1\n p95: ......................................................................... 19.9\n p99: ......................................................................... 26.3\n\n\nPhase completed: Load test (index: 0, duration: 30s) 13:19:09(+0000)\n\n--------------------------------------\nMetrics for period to: 13:19:10(+0000) (width: 9.212s)\n--------------------------------------\n\nhttp.codes.200: ................................................................ 50\nhttp.downloaded_bytes: ......................................................... 20300\nhttp.request_rate: ............................................................. 5/sec\nhttp.requests: ................................................................. 50\nhttp.response_time:\n min: ......................................................................... 1\n max: ......................................................................... 16\n mean: ........................................................................ 3\n median: ...................................................................... 3\n p95: ......................................................................... 4\n p99: ......................................................................... 7\nhttp.response_time.2xx:\n min: ......................................................................... 1\n max: ......................................................................... 16\n mean: ........................................................................ 3\n median: ...................................................................... 3\n p95: ......................................................................... 4\n p99: ......................................................................... 7\nhttp.responses: ................................................................ 50\nvusers.completed: .............................................................. 50\nvusers.created: ................................................................ 50\nvusers.created_by_name.Simple load test: ....................................... 50\nvusers.failed: ................................................................. 0\nvusers.session_length:\n min: ......................................................................... 8.5\n max: ......................................................................... 51.1\n mean: ........................................................................ 14.9\n median: ...................................................................... 10.7\n p95: ......................................................................... 38.5\n p99: ......................................................................... 50.9\n\n\nAll VUs finished. Total time: 30 seconds\n\n--------------------------------\nSummary report @ 13:19:10(+0000)\n--------------------------------\n\nhttp.codes.200: ................................................................ 150\nhttp.downloaded_bytes: ......................................................... 60900\nhttp.request_rate: ............................."
},
"requests": 150,
"requests_per_second": 5,
"responses": 150,
"status": "success",
"tool": "artillery",
"total_issues": 0,
"url": "http://host.docker.internal:8009"
},
"connectivity": {
"message": "Successfully connected to http://host.docker.internal:8009",
"original_url": "http://host.docker.internal:8009",
"status": "success",
"working_url": "http://host.docker.internal:8009"
},
"locust": {
"error": "Test timed out",
"executed": true,
"status": "timeout",
"tool": "locust",
"url": "http://host.docker.internal:8009"
}
},
"tool_runs": {
"ab": {
"avg_response_time": 3.2,
"completed_requests": 20,
"configuration": {
"concurrency": 5,
"requests": 20
},
"executed": true,
"failed_requests": 0,
"raw": {
"command": [
"ab",
"-n",
"20",
"-c",
"5",
"-g",
"ab_results.tsv",
"http://host.docker.internal:8009/"
],
"duration": 0.07644104957580566,
"exit_code": 0,
"stderr": "",
"stdout": "This is ApacheBench, Version 2.3 \u003c$Revision: 1923142 $\u003e\nCopyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/\nLicensed to The Apache Software Foundation, http://www.apache.org/\n\nBenchmarking host.docker.internal (be patient).....done\n\n\nServer Software: nginx/1.29.3\nServer Hostname: host.docker.internal\nServer Port: 8009\n\nDocument Path: /\nDocument Length: 406 bytes\n\nConcurrency Level: 5\nTime taken for tests: 0.064 seconds\nComplete requests: 20\nFailed requests: 0\nTotal transferred: 15140 bytes\nHTML transferred: 8120 bytes\nRequests per second: 312.51 [#/sec] (mean)\nTime per request: 16.000 [ms] (mean)\nTime per request: 3.200 [ms] (mean, across all concurrent requests)\nTransfer rate: 231.03 [Kbytes/sec] received\n\nConnection Times (ms)\n min mean[+/-sd] median max\nConnect: 2 6 4.5 5 19\nProcessing: 3 8 6.6 6 23\nWaiting: 2 8 6.2 5 22\nTotal: 6 14 7.8 13 31\n\nPercentage of the requests served within a certain time (ms)\n 50% 13\n 66% 14\n 75% 22\n 80% 24\n 90% 29\n 95% 31\n 98% 31\n 99% 31\n 100% 31 (longest request)\n"
},
"requests_per_second": 312.51,
"status": "success",
"tool": "ab",
"total_issues": 0,
"url": "http://host.docker.internal:8009/"
},
"aiohttp": {
"avg_response_time": 4.4738,
"configuration": {
"concurrency": 3,
"requests": 20
},
"executed": true,
"failed_requests": 0,
"max_response_time": 13.024000000000001,
"median_response_time": 3.2969999999999997,
"min_response_time": 2.054,
"raw": {
"duration": 0.033414602279663086,
"errors": [],
"requests_attempted": 20
},
"requests": 20,
"status": "success",
"success_rate": 100.0,
"successful_requests": 20,
"tool": "aiohttp",
"total_issues": 0,
"url": "http://host.docker.internal:8009"
},
"artillery": {
"avg_response_time": 0.0,
"codes": {
"2xx": 150,
"3xx": 0,
"4xx": 0,
"5xx": 0
},
"configuration": {
"arrival_rate": 5,
"duration": 30
},
"errors": 0,
"executed": true,
"max_response_time": 0.0,
"min_response_time": 0.0,
"p50_response_time": 0.0,
"p95_response_time": 0.0,
"p99_response_time": 0.0,
"raw": {
"command": [
"artillery",
"run",
"--output",
"/tmp/performance_tests/artillery_report.json",
"/tmp/performance_tests/artillery_config.yml"
],
"duration": 41.24952745437622,
"exit_code": 0,
"stderr": "",
"stdout": "Test run id: tnqja_hq3k9f3xwkfd5kfmw5j4539nechmh_byhb\nPhase started: Load test (index: 0, duration: 30s) 13:18:39(+0000)\n\n--------------------------------------\nMetrics for period to: 13:18:50(+0000) (width: 9.211s)\n--------------------------------------\n\nhttp.codes.200: ................................................................ 50\nhttp.downloaded_bytes: ......................................................... 20300\nhttp.request_rate: ............................................................. 5/sec\nhttp.requests: ................................................................. 50\nhttp.response_time:\n min: ......................................................................... 1\n max: ......................................................................... 61\n mean: ........................................................................ 4.4\n median: ...................................................................... 3\n p95: ......................................................................... 7\n p99: ......................................................................... 7.9\nhttp.response_time.2xx:\n min: ......................................................................... 1\n max: ......................................................................... 61\n mean: ........................................................................ 4.4\n median: ...................................................................... 3\n p95: ......................................................................... 7\n p99: ......................................................................... 7.9\nhttp.responses: ................................................................ 50\nvusers.completed: .............................................................. 50\nvusers.created: ................................................................ 50\nvusers.created_by_name.Simple load test: ....................................... 50\nvusers.failed: ................................................................. 0\nvusers.session_length:\n min: ......................................................................... 7.6\n max: ......................................................................... 190.6\n mean: ........................................................................ 24.8\n median: ...................................................................... 12.8\n p95: ......................................................................... 100.5\n p99: ......................................................................... 122.7\n\n\n--------------------------------------\nMetrics for period to: 13:19:00(+0000) (width: 9.326s)\n--------------------------------------\n\nhttp.codes.200: ................................................................ 50\nhttp.downloaded_bytes: ......................................................... 20300\nhttp.request_rate: ............................................................. 5/sec\nhttp.requests: ................................................................. 50\nhttp.response_time:\n min: ......................................................................... 1\n max: ......................................................................... 17\n mean: ........................................................................ 3\n median: ...................................................................... 2\n p95: ......................................................................... 4\n p99: ......................................................................... 8.9\nhttp.response_time.2xx:\n min: ......................................................................... 1\n max: ......................................................................... 17\n mean: ........................................................................ 3\n median: ...................................................................... 2\n p95: ......................................................................... 4\n p99: ......................................................................... 8.9\nhttp.responses: ................................................................ 50\nvusers.completed: .............................................................. 50\nvusers.created: ................................................................ 50\nvusers.created_by_name.Simple load test: ....................................... 50\nvusers.failed: ................................................................. 0\nvusers.session_length:\n min: ......................................................................... 9.1\n max: ......................................................................... 62.4\n mean: ........................................................................ 13.9\n median: ...................................................................... 12.1\n p95: ......................................................................... 19.9\n p99: ......................................................................... 26.3\n\n\nPhase completed: Load test (index: 0, duration: 30s) 13:19:09(+0000)\n\n--------------------------------------\nMetrics for period to: 13:19:10(+0000) (width: 9.212s)\n--------------------------------------\n\nhttp.codes.200: ................................................................ 50\nhttp.downloaded_bytes: ......................................................... 20300\nhttp.request_rate: ............................................................. 5/sec\nhttp.requests: ................................................................. 50\nhttp.response_time:\n min: ......................................................................... 1\n max: ......................................................................... 16\n mean: ........................................................................ 3\n median: ...................................................................... 3\n p95: ......................................................................... 4\n p99: ......................................................................... 7\nhttp.response_time.2xx:\n min: ......................................................................... 1\n max: ......................................................................... 16\n mean: ........................................................................ 3\n median: ...................................................................... 3\n p95: ......................................................................... 4\n p99: ......................................................................... 7\nhttp.responses: ................................................................ 50\nvusers.completed: .............................................................. 50\nvusers.created: ................................................................ 50\nvusers.created_by_name.Simple load test: ....................................... 50\nvusers.failed: ................................................................. 0\nvusers.session_length:\n min: ......................................................................... 8.5\n max: ......................................................................... 51.1\n mean: ........................................................................ 14.9\n median: ...................................................................... 10.7\n p95: ......................................................................... 38.5\n p99: ......................................................................... 50.9\n\n\nAll VUs finished. Total time: 30 seconds\n\n--------------------------------\nSummary report @ 13:19:10(+0000)\n--------------------------------\n\nhttp.codes.200: ................................................................ 150\nhttp.downloaded_bytes: ......................................................... 60900\nhttp.request_rate: ............................."
},
"requests": 150,
"requests_per_second": 5,
"responses": 150,
"status": "success",
"tool": "artillery",
"total_issues": 0,
"url": "http://host.docker.internal:8009"
},
"locust": {
"error": "Test timed out",
"executed": true,
"status": "timeout",
"tool": "locust",
"url": "http://host.docker.internal:8009"
}
}
},
"status": "success",
"target_urls": [
"http://host.docker.internal:5009",
"http://host.docker.internal:8009"
],
"tool_results": {
"ab": {
"executed": true,
"status": "success",
"tool": "ab",
"total_issues": 0
},
"aiohttp": {
"executed": true,
"status": "success",
"tool": "aiohttp",
"total_issues": 0
},
"artillery": {
"executed": true,
"status": "success",
"tool": "artillery",
"total_issues": 0
},
"locust": {
"executed": true,
"status": "timeout",
"tool": "locust"
}
},
"tools_used": [
"artillery",
"aiohttp",
"ab"
]
},
"service": "performance-tester",
"status": "success",
"timestamp": "2025-11-16T13:19:11.381241",
"type": "performance_analysis_result"
},
"static": {
"analysis": {
"_project_metadata": {
"file_counts": {
"css": 1,
"docker_compose": 1,
"dockerfile": 2,
"html": 1,
"javascript": 3,
"json": 1,
"python": 1,
"typescript": 0
},
"security_files": {
"dockerfile": true,
"gitignore": false,
"package_json": false,
"requirements_txt": false
},
"total_files": 10
},
"analysis_time": "2025-11-16T13:14:48.875397",
"app_number": 1,
"configuration_applied": false,
"model_slug": "google_gemini-2.5-flash-lite",
"results": {
"css": {},
"javascript": {
"_metadata": {
"eslint": {
"error": null,
"executed": true,
"status": "no_issues",
"total_issues": 0
}
},
"eslint": {
"executed": true,
"issues": [],
"status": "no_issues",
"tool": "eslint",
"total_issues": 0
}
},
"python": {
"_metadata": {
"bandit": {
"error": null,
"executed": true,
"format": "sarif",
"status": "no_issues",
"total_issues": 2
},
"flake8": {
"error": null,
"executed": false,
"format": null,
"status": "not_run",
"total_issues": 0
},
"mypy": {
"error": "Invalid JSON output format",
"executed": true,
"format": "json",
"status": "error",
"total_issues": 0
},
"pylint": {
"error": null,
"executed": true,
"format": "json",
"status": "success",
"total_issues": 18
},
"ruff": {
"error": null,
"executed": true,
"format": "sarif",
"status": "success",
"total_issues": 0
},
"safety": {
"error": null,
"executed": true,
"format": "json",
"status": "no_issues",
"total_issues": 0
},
"semgrep": {
"error": null,
"executed": true,
"format": "sarif",
"status": "success",
"total_issues": 2
},
"vulture": {
"error": null,
"executed": true,
"format": "json",
"status": "no_issues",
"total_issues": 0
}
},
"bandit": {
"executed": true,
"format": "sarif",
"issues": [],
"sarif": {
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"invocations": [
{
"endTimeUtc": "2025-11-16T13:14:49Z",
"executionSuccessful": true
}
],
"properties": {
"metrics": {
"/app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py": {
"CONFIDENCE.HIGH": 1,
"CONFIDENCE.LOW": 0,
"CONFIDENCE.MEDIUM": 1,
"CONFIDENCE.UNDEFINED": 0,
"SEVERITY.HIGH": 0,
"SEVERITY.LOW": 1,
"SEVERITY.MEDIUM": 1,
"SEVERITY.UNDEFINED": 0,
"loc": 109,
"nosec": 0,
"skipped_tests": 0
},
"_totals": {
"CONFIDENCE.HIGH": 1,
"CONFIDENCE.LOW": 0,
"CONFIDENCE.MEDIUM": 1,
"CONFIDENCE.UNDEFINED": 0,
"SEVERITY.HIGH": 0,
"SEVERITY.LOW": 1,
"SEVERITY.MEDIUM": 1,
"SEVERITY.UNDEFINED": 0,
"loc": 109,
"nosec": 0,
"skipped_tests": 0
}
}
},
"results": [
{
"level": "note",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"contextRegion": {
"endLine": 53,
"snippet": {
"text": " while True:\n code = \u0027\u0027.join(random.choice(characters) for _ in range(length))\n if not Url.query.filter_by(short_code=code).first():\n"
},
"startLine": 51
},
"region": {
"endColumn": 49,
"endLine": 52,
"snippet": {
"text": " code = \u0027\u0027.join(random.choice(characters) for _ in range(length))\n"
},
"startColumn": 24,
"startLine": 52
}
}
}
],
"message": {
"text": "Standard pseudo-random generators are not suitable for security/cryptographic purposes."
},
"properties": {
"issue_confidence": "HIGH",
"issue_severity": "LOW"
},
"ruleId": "B311",
"ruleIndex": 0
},
{
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"contextRegion": {
"endLine": 144,
"snippet": {
"text": " logger.info(f\"Starting Flask app on port {port}\")\n app.run(host=\u00270.0.0.0\u0027, port=port)\n"
},
"startLine": 143
},
"region": {
"endColumn": 27,
"endLine": 144,
"snippet": {
"text": " app.run(host=\u00270.0.0.0\u0027, port=port)\n"
},
"startColumn": 18,
"startLine": 144
}
}
}
],
"message": {
"text": "Possible binding to all interfaces."
},
"properties": {
"issue_confidence": "MEDIUM",
"issue_severity": "MEDIUM"
},
"ruleId": "B104",
"ruleIndex": 1
}
],
"tool": {
"driver": {
"name": "Bandit",
"organization": "PyCQA",
"rules": [
{
"helpUri": "https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_calls.html#b311-random",
"id": "B311",
"name": "blacklist",
"properties": {
"precision": "high",
"tags": [
"security",
"external/cwe/cwe-330"
]
}
},
{
"helpUri": "https://bandit.readthedocs.io/en/1.8.6/plugins/b104_hardcoded_bind_all_interfaces.html",
"id": "B104",
"name": "hardcoded_bind_all_interfaces",
"properties": {
"precision": "medium",
"tags": [
"security",
"external/cwe/cwe-605"
]
}
}
],
"semanticVersion": "1.8.6",
"version": "1.8.6"
}
}
}
],
"version": "2.1.0"
},
"status": "no_issues",
"tool": "bandit",
"total_issues": 2
},
"mypy": {
"error": "Invalid JSON output format",
"executed": true,
"issues": [],
"sarif": {
"invocations": [
{
"endTimeUtc": "2025-11-16T13:15:35.192986+00:00",
"executionSuccessful": true
}
],
"results": [
{
"level": "error",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 10,
"startLine": 21
}
}
}
],
"message": {
"text": "Name \"db.Model\" is not defined"
},
"properties": {
"severity": "high"
},
"ruleId": "type-check"
}
],
"tool": {
"driver": {
"informationUri": "https://github.com/PyCQA/mypy",
"name": "mypy",
"version": "unknown"
}
}
},
"status": "error",
"tool": "mypy",
"total_issues": 0
},
"pylint": {
"config_used": {},
"executed": true,
"issues": [
{
"column": 0,
"end_column": null,
"end_line": null,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 88,
"message": "Line too long (112/100)",
"module": "app",
"obj": "",
"rule": "C0301",
"severity": "low",
"symbol": "line-too-long",
"type": "convention"
},
{
"column": 0,
"end_column": null,
"end_line": null,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 111,
"message": "Line too long (119/100)",
"module": "app",
"obj": "",
"rule": "C0301",
"severity": "low",
"symbol": "line-too-long",
"type": "convention"
},
{
"column": 0,
"end_column": null,
"end_line": null,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 144,
"message": "Final newline missing",
"module": "app",
"obj": "",
"rule": "C0304",
"severity": "low",
"symbol": "missing-final-newline",
"type": "convention"
},
{
"column": 14,
"end_column": 17,
"end_line": 39,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 39,
"message": "Redefining name \u0027app\u0027 from outer scope (line 14)",
"module": "app",
"obj": "setup_app",
"rule": "W0621",
"severity": "medium",
"symbol": "redefined-outer-name",
"type": "warning"
},
{
"column": 8,
"end_column": 76,
"end_line": 81,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 81,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "shorten_url",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
},
{
"column": 11,
"end_column": 20,
"end_line": 98,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 98,
"message": "Catching too general exception Exception",
"module": "app",
"obj": "shorten_url",
"rule": "W0718",
"severity": "medium",
"symbol": "broad-exception-caught",
"type": "warning"
},
{
"column": 12,
"end_column": 112,
"end_line": 88,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 88,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "shorten_url",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
},
{
"column": 8,
"end_column": 79,
"end_line": 95,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 95,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "shorten_url",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
},
{
"column": 8,
"end_column": 80,
"end_line": 100,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 100,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "shorten_url",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
},
{
"column": 11,
"end_column": 20,
"end_line": 116,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 116,
"message": "Catching too general exception Exception",
"module": "app",
"obj": "redirect_to_url",
"rule": "W0718",
"severity": "medium",
"symbol": "broad-exception-caught",
"type": "warning"
},
{
"column": 8,
"end_column": 65,
"end_line": 115,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 108,
"message": "Unnecessary \"else\" after \"return\", remove the \"else\" and de-indent the code inside it",
"module": "app",
"obj": "redirect_to_url",
"rule": "R1705",
"severity": "low",
"symbol": "no-else-return",
"type": "refactor"
},
{
"column": 12,
"end_column": 119,
"end_line": 111,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 111,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "redirect_to_url",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
},
{
"column": 12,
"end_column": 65,
"end_line": 114,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 114,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "redirect_to_url",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
},
{
"column": 8,
"end_column": 67,
"end_line": 118,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 118,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "redirect_to_url",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
},
{
"column": 4,
"end_column": 65,
"end_line": 126,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 126,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "not_found_error",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
},
{
"column": 20,
"end_column": 25,
"end_line": 124,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 124,
"message": "Unused argument \u0027error\u0027",
"module": "app",
"obj": "not_found_error",
"rule": "W0613",
"severity": "medium",
"symbol": "unused-argument",
"type": "warning"
},
{
"column": 4,
"end_column": 70,
"end_line": 132,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 132,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "internal_server_error",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
},
{
"column": 4,
"end_column": 53,
"end_line": 143,
"file": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py",
"line": 143,
"message": "Use lazy % formatting in logging functions",
"module": "app",
"obj": "",
"rule": "W1203",
"severity": "medium",
"symbol": "logging-fstring-interpolation",
"type": "warning"
}
],
"sarif": {
"invocations": [
{
"endTimeUtc": "2025-11-16T13:14:54.769518+00:00",
"executionSuccessful": true
}
],
"results": [
{
"level": "note",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startLine": 88
}
}
}
],
"message": {
"text": "Line too long (112/100)"
},
"properties": {
"severity": "convention"
},
"ruleId": "C0301"
},
{
"level": "note",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startLine": 111
}
}
}
],
"message": {
"text": "Line too long (119/100)"
},
"properties": {
"severity": "convention"
},
"ruleId": "C0301"
},
{
"level": "note",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startLine": 144
}
}
}
],
"message": {
"text": "Final newline missing"
},
"properties": {
"severity": "convention"
},
"ruleId": "C0304"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 14,
"startLine": 39
}
}
}
],
"message": {
"text": "setup_app: Redefining name \u0027app\u0027 from outer scope (line 14)"
},
"properties": {
"severity": "warning"
},
"ruleId": "W0621"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 8,
"startLine": 81
}
}
}
],
"message": {
"text": "shorten_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 11,
"startLine": 98
}
}
}
],
"message": {
"text": "shorten_url: Catching too general exception Exception"
},
"properties": {
"severity": "warning"
},
"ruleId": "W0718"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 12,
"startLine": 88
}
}
}
],
"message": {
"text": "shorten_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 8,
"startLine": 95
}
}
}
],
"message": {
"text": "shorten_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 8,
"startLine": 100
}
}
}
],
"message": {
"text": "shorten_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 11,
"startLine": 116
}
}
}
],
"message": {
"text": "redirect_to_url: Catching too general exception Exception"
},
"properties": {
"severity": "warning"
},
"ruleId": "W0718"
},
{
"level": "note",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 8,
"startLine": 108
}
}
}
],
"message": {
"text": "redirect_to_url: Unnecessary \"else\" after \"return\", remove the \"else\" and de-indent the code inside it"
},
"properties": {
"severity": "refactor"
},
"ruleId": "R1705"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 12,
"startLine": 111
}
}
}
],
"message": {
"text": "redirect_to_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 12,
"startLine": 114
}
}
}
],
"message": {
"text": "redirect_to_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 8,
"startLine": 118
}
}
}
],
"message": {
"text": "redirect_to_url: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 4,
"startLine": 126
}
}
}
],
"message": {
"text": "not_found_error: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 20,
"startLine": 124
}
}
}
],
"message": {
"text": "not_found_error: Unused argument \u0027error\u0027"
},
"properties": {
"severity": "warning"
},
"ruleId": "W0613"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 4,
"startLine": 132
}
}
}
],
"message": {
"text": "internal_server_error: Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
},
{
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py"
},
"region": {
"startColumn": 4,
"startLine": 143
}
}
}
],
"message": {
"text": "Use lazy % formatting in logging functions"
},
"properties": {
"severity": "warning"
},
"ruleId": "W1203"
}
],
"tool": {
"driver": {
"informationUri": "https://github.com/PyCQA/pylint",
"name": "pylint",
"version": "unknown"
}
}
},
"severity_breakdown": {
"high": 0,
"low": 4,
"medium": 14
},
"status": "success",
"tool": "pylint",
"total_issues": 18
},
"ruff": {
"executed": true,
"format": "sarif",
"output": "{\n \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n \"runs\": [\n {\n \"results\": [],\n \"tool\": {\n \"driver\": {\n \"informationUri\": \"https://github.com/astral-sh/ruff\",\n \"name\": \"ruff\",\n \"rules\": [],\n \"version\": \"0.14.5\"\n }\n }\n }\n ],\n \"version\": \"2.1.0\"\n}",
"sarif": {
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"results": [],
"tool": {
"driver": {
"informationUri": "https://github.com/astral-sh/ruff",
"name": "ruff",
"rules": [],
"version": "0.14.5"
}
}
}
],
"version": "2.1.0"
},
"status": "success",
"tool": "ruff",
"total_issues": 0
},
"safety": {
"executed": true,
"issues": [],
"status": "no_issues",
"tool": "safety",
"total_issues": 0
},
"semgrep": {
"executed": true,
"format": "sarif",
"output": "{\"version\":\"2.1.0\",\"runs\":[{\"invocations\":[{\"executionSuccessful\":true,\"toolExecutionNotifications\":[{\"descriptor\":{\"id\":\"Syntax error\"},\"level\":\"warning\",\"message\":{\"text\":\"Syntax error at line /app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/Dockerfile:9:\\n `apt-get update \u0026\u0026 apt-get install -y \\\\\\r\\n gcc \\\\\\r\\n curl \\\\\\r\\n libxml2-dev \\\\\\r\\n libxslt-dev \\\\\\r\\n python3-dev \\\\\\r\\n \u0026\u0026 rm -rf /var/lib/apt/lists/* \u0026\u0026 break || \\\\\\r\\n (echo \\\"Retry $i: Failed to install system dependencies\\\" \u0026\u0026 sleep 2); \\\\\\r\\n done\\r\\n\\r\\n# Upgrade pip and install build tools with fallback\\r\\nRUN pip install --no-cache-dir --upgrade pip setuptools wheel || \\\\\\r\\n (echo \\\"WARNING: Failed to upgrade pip/setuptools, continuing with defaults\\\" \u0026\u0026 true)\\r\\n\\r\\n# Copy requirements first for better caching\\r\\nCOPY requirements.txt .\\r\\n\\r\\n# Install Python dependencies with multiple fallback strategies\\r\\nRUN echo \\\"=== Installing Python dependencies ===\\\" \u0026\u0026 \\\\\\r\\n (pip install --no-cache-dir -r requirements.txt \u0026\u0026 echo \\\"\u2713 Dependencies installed successfully\\\") || \\\\\\r\\n (echo \\\"\u26a0 First attempt failed, trying with --use-deprecated=legacy-resolver\\\" \u0026\u0026 \\\\\\r\\n pip install --no-cache-dir --use-deprecated=legacy-resolver -r requirements.txt) || \\\\\\r\\n (echo \\\"\u26a0 Second attempt failed, trying packages individually\\\" \u0026\u0026 \\\\\\r\\n cat requirements.txt | grep -v \u0027^#\u0027 | grep -v \u0027^$\u0027 | while read pkg; do \\\\\\r\\n echo \\\"Installing $pkg...\\\" \u0026\u0026 \\\\\\r\\n pip install --no-cache-dir \\\"$pkg\\\" || echo \\\"WARNING: Failed to install $pkg\\\"; \\\\\\r\\n done) || \\\\\\r\\n (echo \\\"ERROR: Failed to install dependencies. Image may be incomplete.\\\" \u0026\u0026 exit 1)\\r\\n\\r\\n# Verify critical Flask dependencies are installed\\r\\nRUN python -c \\\"import flask; print(f\u0027\u2713 Flask {flask.__version__} installed\u0027)\\\" || \\\\\\r\\n (echo \\\"ERROR: Flask not installed. Installing Flask as fallback...\\\" \u0026\u0026 \\\\\\r\\n pip install --no-cache-dir Flask\u003e=3.0.0 \u0026\u0026 \\\\\\r\\n python -c \\\"import flask; print(f\u0027\u2713 Flask {flask.__version__} installed (fallback)\u0027)\\\")\\r\\n\\r\\n# Copy application code\\r\\nCOPY . .\\r\\n\\r\\n# Create data directory for SQLite databases with proper permissions\\r\\nRUN mkdir -p /app/data \u0026\u0026 chmod 777 /app/data\\r\\n\\r\\n# Validate app.py exists and has no syntax errors with detailed feedback\\r\\nRUN if [ ! -f app.py ]; then \\\\\\r\\n echo \\\"ERROR: app.py not found in /app di... (truncated 2052 more characters)\"}},{\"descriptor\":{\"id\":\"Syntax error\"},\"level\":\"warning\",\"message\":{\"text\":\"Syntax error at line /app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/frontend/Dockerfile:11:\\n `apk add --no-cache python3 make g++ \u0026\u0026 break || \\\\\\r\\n (echo \\\"Retry $i: Failed to install build tools\\\" \u0026\u0026 sleep 2); \\\\\\r\\n done || true\\r\\n\\r\\n# Copy package files\\r\\nCOPY package.json ./\\r\\n\\r\\n# Upgrade npm with fallback\\r\\nRUN npm install -g npm@latest || \\\\\\r\\n (echo \\\"WARNING: Could not upgrade npm, using existing version $(npm -v)\\\" \u0026\u0026 true)\\r\\n\\r\\n# Install dependencies with multiple fallback strategies\\r\\nRUN echo \\\"=== Installing Node dependencies ===\\\" \u0026\u0026 \\\\\\r\\n echo \\\"Node version: $(node -v)\\\" \u0026\u0026 \\\\\\r\\n echo \\\"NPM version: $(npm -v)\\\" \u0026\u0026 \\\\\\r\\n (npm ci 2\u003e/dev/null \u0026\u0026 echo \\\"\u2713 npm ci succeeded\\\") || \\\\\\r\\n (echo \\\"\u26a0 npm ci failed (no package-lock.json), trying npm install...\\\" \u0026\u0026 \\\\\\r\\n npm install \u0026\u0026 echo \\\"\u2713 npm install succeeded\\\") || \\\\\\r\\n (echo \\\"\u26a0 npm install failed, trying with legacy peer deps...\\\" \u0026\u0026 \\\\\\r\\n npm install --legacy-peer-deps \u0026\u0026 echo \\\"\u2713 Install with legacy-peer-deps succeeded\\\") || \\\\\\r\\n (echo \\\"\u26a0 Trying to install packages individually...\\\" \u0026\u0026 \\\\\\r\\n npm install react react-dom axios \u0026\u0026 \\\\\\r\\n npm install -D vite @vitejs/plugin-react \u0026\u0026 \\\\\\r\\n echo \\\"\u2713 Individual package install completed\\\") || \\\\\\r\\n (echo \\\"ERROR: All installation strategies failed\\\" \u0026\u0026 exit 1)\\r\\n\\r\\n# Verify critical dependencies\\r\\nRUN node -e \\\"require(\u0027react\u0027); console.log(\u0027\u2713 React installed\u0027);\\\" || \\\\\\r\\n (echo \\\"WARNING: React verification failed\\\" \u0026\u0026 true)\\r\\nRUN node -e \\\"require(\u0027vite\u0027); console.log(\u0027\u2713 Vite installed\u0027);\\\" || \\\\\\r\\n (echo \\\"WARNING: Vite verification failed\\\" \u0026\u0026 true)\\r\\n\\r\\n# Copy source code\\r\\nCOPY . .\\r\\n\\r\\n# Verify required files exist\\r\\nRUN if [ ! -f index.html ]; then \\\\\\r\\n echo \\\"ERROR: index.html not found\\\" \u0026\u0026 exit 1; \\\\\\r\\n fi \u0026\u0026 \\\\\\r\\n if [ ! -f vite.config.js ]; then \\\\\\r\\n echo \\\"WARNING: vite.config.js not found, creating minimal config\\\" \u0026\u0026 \\\\\\r\\n echo \u0027import { defineConfig } from \\\"vite\\\"; export default defineConfig({});\u0027 \u003e vite.config.js; \\\\\\r\\n fi \u0026\u0026 \\\\\\r\\n if [ ! -d src ]; then \\\\\\r\\n echo \\\"ERROR: src directory not found\\\" \u0026\u0026 exit 1; \\\\\\r\\n fi\\r\\n\\r\\n# Build the application with fallbacks\\r\\nRUN e... (truncated 3823 more characters)\"}}]}],\"results\":[{\"fingerprints\":{\"matchBasedId/v1\":\"requires login\"},\"locations\":[{\"physicalLocation\":{\"artifactLocation\":{\"uri\":\"/app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/backend/app.py\",\"uriBaseId\":\"%SRCROOT%\"},\"region\":{\"endColumn\":39,\"endLine\":144,\"snippet\":{\"text\":\" app.run(host=\u00270.0.0.0\u0027, port=port)\"},\"startColumn\":5,\"startLine\":144}}}],\"message\":{\"text\":\"Running flask app with host 0.0.0.0 could expose the server publicly.\"},\"properties\":{},\"ruleId\":\"python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host\"},{\"fingerprints\":{\"matchBasedId/v1\":\"requires login\"},\"locations\":[{\"physicalLocation\":{\"artifactLocation\":{\"uri\":\"/app/sources/google_gemini-2.5-flash-lite/api_url_shortener/app1/frontend/nginx.conf\",\"uriBaseId\":\"%SRCROOT%\"},\"region\":{\"endColumn\":47,\"endLine\":24,\"snippet\":{\"text\":\" proxy_http_version 1.1;\\n proxy_set_header Upgrade $http_upgrade;\\n proxy_set_header Connection \u0027upgrade\u0027;\"},\"startColumn\":9,\"startLine\":22}}}],\"message\":{\"text\":\"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\"},\"properties\":{},\"ruleId\":\"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling\"}],\"tool\":{\"driver\":{\"name\":\"Semgrep OSS\",\"rules\":[{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\"},\"help\":{\"markdown\":\"Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Data is being eval\u0027d from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval\u0027ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval\",\"id\":\"bash.curl.security.curl-eval.curl-eval\",\"name\":\"bash.curl.security.curl-eval.curl-eval\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: bash.curl.security.curl-eval.curl-eval\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\"},\"help\":{\"markdown\":\"Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/bash.curl.security.curl-pipe-bash.curl-pipe-bash)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/bash.curl.security.curl-pipe-bash.curl-pipe-bash\",\"id\":\"bash.curl.security.curl-pipe-bash.curl-pipe-bash\",\"name\":\"bash.curl.security.curl-pipe-bash.curl-pipe-bash\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: bash.curl.security.curl-pipe-bash.curl-pipe-bash\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The special variable IFS affects how splitting takes place when expanding unquoted variables. Don\u0027t set it globally. Prefer a dedicated utility such as \u0027cut\u0027 or \u0027awk\u0027 if you need to split input data. If you must use \u0027read\u0027, set IFS locally using e.g. \u0027IFS=\\\",\\\" read -a my_array\u0027.\"},\"help\":{\"markdown\":\"The special variable IFS affects how splitting takes place when expanding unquoted variables. Don\u0027t set it globally. Prefer a dedicated utility such as \u0027cut\u0027 or \u0027awk\u0027 if you need to split input data. If you must use \u0027read\u0027, set IFS locally using e.g. \u0027IFS=\\\",\\\" read -a my_array\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/bash.lang.security.ifs-tampering.ifs-tampering)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"The special variable IFS affects how splitting takes place when expanding unquoted variables. Don\u0027t set it globally. Prefer a dedicated utility such as \u0027cut\u0027 or \u0027awk\u0027 if you need to split input data. If you must use \u0027read\u0027, set IFS locally using e.g. \u0027IFS=\\\",\\\" read -a my_array\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/bash.lang.security.ifs-tampering.ifs-tampering\",\"id\":\"bash.lang.security.ifs-tampering.ifs-tampering\",\"name\":\"bash.lang.security.ifs-tampering.ifs-tampering\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-20: Improper Input Validation\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: bash.lang.security.ifs-tampering.ifs-tampering\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Avoid \u0027gets()\u0027. This function does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 or \u0027gets_s()\u0027 instead.\"},\"help\":{\"markdown\":\"Avoid \u0027gets()\u0027. This function does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 or \u0027gets_s()\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn)\\n - [https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s](https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s)\\n\",\"text\":\"Avoid \u0027gets()\u0027. This function does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 or \u0027gets_s()\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn\",\"id\":\"c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn\",\"name\":\"c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-676: Use of Potentially Dangerous Function\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Avoid using \u0027scanf()\u0027. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 instead for reading input.\"},\"help\":{\"markdown\":\"Avoid using \u0027scanf()\u0027. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 instead for reading input.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn)\\n - [http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html](http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html)\\n\",\"text\":\"Avoid using \u0027scanf()\u0027. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use \u0027fgets()\u0027 instead for reading input.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn\",\"id\":\"c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn\",\"name\":\"c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-676: Use of Potentially Dangerous Function\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Avoid using \u0027strtok()\u0027. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use \u0027strtok_r()\u0027 instead.\"},\"help\":{\"markdown\":\"Avoid using \u0027strtok()\u0027. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use \u0027strtok_r()\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn)\\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR06-C.+Do+not+assume+that+strtok%28%29+leaves+the+parse+string+unchanged](https://wiki.sei.cmu.edu/confluence/display/c/STR06-C.+Do+not+assume+that+strtok%28%29+leaves+the+parse+string+unchanged)\\n - [https://man7.org/linux/man-pages/man3/strtok.3.html#BUGS](https://man7.org/linux/man-pages/man3/strtok.3.html#BUGS)\\n - [https://stackoverflow.com/a/40335556](https://stackoverflow.com/a/40335556)\\n\",\"text\":\"Avoid using \u0027strtok()\u0027. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use \u0027strtok_r()\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn\",\"id\":\"c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn\",\"name\":\"c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-676: Use of Potentially Dangerous Function\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Call to \u0027read()\u0027 without error checking is susceptible to file descriptor exhaustion. Consider using the \u0027getrandom()\u0027 function.\"},\"help\":{\"markdown\":\"Call to \u0027read()\u0027 without error checking is susceptible to file descriptor exhaustion. Consider using the \u0027getrandom()\u0027 function.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.random-fd-exhaustion.random-fd-exhaustion)\\n - [https://lwn.net/Articles/606141/](https://lwn.net/Articles/606141/)\\n\",\"text\":\"Call to \u0027read()\u0027 without error checking is susceptible to file descriptor exhaustion. Consider using the \u0027getrandom()\u0027 function.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/c.lang.security.random-fd-exhaustion.random-fd-exhaustion\",\"id\":\"c.lang.security.random-fd-exhaustion.random-fd-exhaustion\",\"name\":\"c.lang.security.random-fd-exhaustion.random-fd-exhaustion\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: c.lang.security.random-fd-exhaustion.random-fd-exhaustion\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://apache.org/xml/features/disallow-doctype-decl\\\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \\\"http://xml.org/sax/features/external-general-entities\\\" and \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\"},\"help\":{\"markdown\":\"DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://apache.org/xml/features/disallow-doctype-decl\\\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \\\"http://xml.org/sax/features/external-general-entities\\\" and \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\\n\",\"text\":\"DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://apache.org/xml/features/disallow-doctype-decl\\\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \\\"http://xml.org/sax/features/external-general-entities\\\" and \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe\",\"id\":\"clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe\",\"name\":\"clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\"},\"help\":{\"markdown\":\"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\\n\",\"text\":\"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5\",\"id\":\"clojure.lang.security.use-of-md5.use-of-md5\",\"name\":\"clojure.lang.security.use-of-md5.use-of-md5\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: clojure.lang.security.use-of-md5.use-of-md5\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\"},\"help\":{\"markdown\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\\n\",\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1\",\"id\":\"clojure.lang.security.use-of-sha1.use-of-sha1\",\"name\":\"clojure.lang.security.use-of-sha1.use-of-sha1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"CWE-328: Use of Weak Hash\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: clojure.lang.security.use-of-sha1.use-of-sha1\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\"},\"help\":{\"markdown\":\"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment)\\n - [https://cwe.mitre.org/data/definitions/915.html](https://cwe.mitre.org/data/definitions/915.html)\\n - [https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md)\\n\",\"text\":\"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment\",\"id\":\"csharp.dotnet.security.audit.mass-assignment.mass-assignment\",\"name\":\"csharp.dotnet.security.audit.mass-assignment.mass-assignment\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.dotnet.security.audit.mass-assignment.mass-assignment\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.\"},\"help\":{\"markdown\":\"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery)\\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests)\\n\",\"text\":\"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery\",\"id\":\"csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery\",\"name\":\"csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-352: Cross-Site Request Forgery (CSRF)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from `\u003ccompilation ... /\u003e`\"},\"help\":{\"markdown\":\"ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from `\u003ccompilation ... /\u003e`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug)\\n - [https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/](https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/)\\n - [https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx](https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx)\\n\",\"text\":\"ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from `\u003ccompilation ... /\u003e`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug\",\"id\":\"csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug\",\"name\":\"csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-11: ASP.NET Misconfiguration: Creating Debug Binary\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.\"},\"help\":{\"markdown\":\"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance)\\n - [https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx](https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx)\\n\",\"text\":\"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled\",\"id\":\"csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled\",\"name\":\"csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1323: Improper Management of Sensitive Trace Data\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\"},\"help\":{\"markdown\":\"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection)\\n - [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)\\n\",\"text\":\"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection\",\"id\":\"csharp.dotnet.security.razor-template-injection.razor-template-injection\",\"name\":\"csharp.dotnet.security.razor-template-injection.razor-template-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.dotnet.security.razor-template-injection.razor-template-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.\"},\"help\":{\"markdown\":\"Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_ecb_mode.use_ecb_mode)\\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0)\\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0)\\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes)\\n\",\"text\":\"Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.dotnet.security.use_ecb_mode.use_ecb_mode\",\"id\":\"csharp.dotnet.security.use_ecb_mode.use_ecb_mode\",\"name\":\"csharp.dotnet.security.use_ecb_mode.use_ecb_mode\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.dotnet.security.use_ecb_mode.use_ecb_mode\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\"},\"help\":{\"markdown\":\"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration)\\n - [https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks](https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks)\\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0)\\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors)\\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key)\\n\",\"text\":\"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration\",\"id\":\"csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration\",\"name\":\"csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.\"},\"help\":{\"markdown\":\"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings)\\n - [https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies](https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN\u0026view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN\u0026view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN\u0026view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN\u0026view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL)\\n\",\"text\":\"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings\",\"id\":\"csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings\",\"name\":\"csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.\"},\"help\":{\"markdown\":\"The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\\n - [https://cwe.mitre.org/data/definitions/613.html](https://cwe.mitre.org/data/definitions/613.html)\\n - [https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet](https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet)\\n\",\"text\":\"The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation\",\"id\":\"csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation\",\"name\":\"csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-613: Insufficient Session Expiration\",\"HIGH CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.\"},\"help\":{\"markdown\":\"Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8)\\n\",\"text\":\"Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation\",\"id\":\"csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation\",\"name\":\"csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-295: Improper Certificate Validation\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\"},\"help\":{\"markdown\":\"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine)\\n - [https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/](https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks)\\n\",\"text\":\"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine\",\"id\":\"csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine\",\"name\":\"csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \\\"*.asdf.gov\\\" if you own all of \\\"asdf.gov\\\".\"},\"help\":{\"markdown\":\"The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \\\"*.asdf.gov\\\" if you own all of \\\"asdf.gov\\\".\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0)\\n\",\"text\":\"The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \\\"*.asdf.gov\\\" if you own all of \\\"asdf.gov\\\".\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings\",\"id\":\"csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings\",\"name\":\"csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-706: Use of Incorrectly-Resolved Name or Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.\"},\"help\":{\"markdown\":\"The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.injections.os-command.os-command-injection)\\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\\n\",\"text\":\"The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.injections.os-command.os-command-injection\",\"id\":\"csharp.lang.security.injections.os-command.os-command-injection\",\"name\":\"csharp.lang.security.injections.os-command.os-command-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.injections.os-command.os-command-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. BinaryFormatter is insecure and can\u0027t be made secure\"},\"help\":{\"markdown\":\"The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. BinaryFormatter is insecure and can\u0027t be made secure\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization)\\n - [https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide](https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide)\\n\",\"text\":\"The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. BinaryFormatter is insecure and can\u0027t be made secure\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization\",\"id\":\"csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization\",\"name\":\"csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"HIGH CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.\"},\"help\":{\"markdown\":\"Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver)\\n - [https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide](https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide)\\n\",\"text\":\"Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver\",\"id\":\"csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver\",\"name\":\"csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe\"},\"help\":{\"markdown\":\"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization)\\n - [https://github.com/mgholam/fastJSON#security-warning-update](https://github.com/mgholam/fastJSON#security-warning-update)\\n\",\"text\":\"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization\",\"id\":\"csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization\",\"name\":\"csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\"},\"help\":{\"markdown\":\"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization)\\n - [https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution](https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution)\\n\",\"text\":\"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization\",\"id\":\"csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization\",\"name\":\"csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf\"},\"help\":{\"markdown\":\"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0)\\n - [https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html](https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html)\\n\",\"text\":\"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full\",\"id\":\"csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full\",\"name\":\"csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server.\"},\"help\":{\"markdown\":\"The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks)\\n\",\"text\":\"The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization\",\"id\":\"csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization\",\"name\":\"csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. LosFormatter is insecure and can\u0027t be made secure\"},\"help\":{\"markdown\":\"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. LosFormatter is insecure and can\u0027t be made secure\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8)\\n\",\"text\":\"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. LosFormatter is insecure and can\u0027t be made secure\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization\",\"id\":\"csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization\",\"name\":\"csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. NetDataContractSerializer is insecure and can\u0027t be made secure\"},\"help\":{\"markdown\":\"The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. NetDataContractSerializer is insecure and can\u0027t be made secure\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security)\\n\",\"text\":\"The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. NetDataContractSerializer is insecure and can\u0027t be made secure\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization\",\"id\":\"csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization\",\"name\":\"csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None.\"},\"help\":{\"markdown\":\"TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization)\\n - [https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm#remarks](https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm#remarks)\\n\",\"text\":\"TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization\",\"id\":\"csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization\",\"name\":\"csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. SoapFormatter is insecure and can\u0027t be made secure\"},\"help\":{\"markdown\":\"The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. SoapFormatter is insecure and can\u0027t be made secure\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks)\\n\",\"text\":\"The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they\u0027re processing to be trustworthy. SoapFormatter is insecure and can\u0027t be made secure\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization\",\"id\":\"csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization\",\"name\":\"csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.\"},\"help\":{\"markdown\":\"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0)\\n\",\"text\":\"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span\",\"id\":\"csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span\",\"name\":\"csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-125: Out-of-bounds Read\",\"LOW CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \\\"Notes to Callers\\\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0\"},\"help\":{\"markdown\":\"Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \\\"Notes to Callers\\\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout)\\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0)\\n\",\"text\":\"Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \\\"Notes to Callers\\\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout\",\"id\":\"csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout\",\"name\":\"csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1333: Inefficient Regular Expression Complexity\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\"},\"help\":{\"markdown\":\"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos)\\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\\n - [https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples](https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples)\\n\",\"text\":\"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos\",\"id\":\"csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos\",\"name\":\"csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1333: Inefficient Regular Expression Complexity\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using \u0027SqlCommand\u0027 and \u0027SqlParameter\u0027.\"},\"help\":{\"markdown\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using \u0027SqlCommand\u0027 and \u0027SqlParameter\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using \u0027SqlCommand\u0027 and \u0027SqlParameter\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli\",\"id\":\"csharp.lang.security.sqli.csharp-sqli.csharp-sqli\",\"name\":\"csharp.lang.security.sqli.csharp-sqli.csharp-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.sqli.csharp-sqli.csharp-sqli\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\"},\"help\":{\"markdown\":\"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.http-client.ssrf)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.ssrf.http-client.ssrf\",\"id\":\"csharp.lang.security.ssrf.http-client.ssrf\",\"name\":\"csharp.lang.security.ssrf.http-client.ssrf\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.ssrf.http-client.ssrf\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\"},\"help\":{\"markdown\":\"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.rest-client.ssrf)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.ssrf.rest-client.ssrf\",\"id\":\"csharp.lang.security.ssrf.rest-client.ssrf\",\"name\":\"csharp.lang.security.ssrf.rest-client.ssrf\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.ssrf.rest-client.ssrf\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\"},\"help\":{\"markdown\":\"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.web-client.ssrf)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.ssrf.web-client.ssrf\",\"id\":\"csharp.lang.security.ssrf.web-client.ssrf\",\"name\":\"csharp.lang.security.ssrf.web-client.ssrf\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.ssrf.web-client.ssrf\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\"},\"help\":{\"markdown\":\"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf)\\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf\",\"id\":\"csharp.lang.security.ssrf.web-request.ssrf\",\"name\":\"csharp.lang.security.ssrf.web-request.ssrf\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.ssrf.web-request.ssrf\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\"},\"help\":{\"markdown\":\"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure)\\n - [https://cwe.mitre.org/data/definitions/209.html](https://cwe.mitre.org/data/definitions/209.html)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\\n\",\"text\":\"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure\",\"id\":\"csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure\",\"name\":\"csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-209: Generation of Error Message Containing Sensitive Information\",\"HIGH CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\"},\"help\":{\"markdown\":\"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override)\\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\\n\",\"text\":\"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override\",\"id\":\"csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override\",\"name\":\"csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\"},\"help\":{\"markdown\":\"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override)\\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\\n\",\"text\":\"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override\",\"id\":\"csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override\",\"name\":\"csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\"},\"help\":{\"markdown\":\"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults)\\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\\n\",\"text\":\"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults\",\"id\":\"csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults\",\"name\":\"csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `\u003c/script\u003e` is not properly encoded.\"},\"help\":{\"markdown\":\"Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `\u003c/script\u003e` is not properly encoded.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `\u003c/script\u003e` is not properly encoded.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json\",\"id\":\"csharp.razor.security.html-raw-json.html-raw-json\",\"name\":\"csharp.razor.security.html-raw-json.html-raw-json\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: csharp.razor.security.html-raw-json.html-raw-json\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"When `--extra-index-url` is used in a `pip install` command, this is usually meant to install a package from a package index other than the public one. However, if a package is added with the same name to the public PyPi repository, and if the version number is high enough, this package will be installed when building this docker image. This package may be a malicious dependency. Such an attack is called a dependency confusion attack. If using a private package index, prefer to use `--index-url` if possible. \"},\"help\":{\"markdown\":\"When `--extra-index-url` is used in a `pip install` command, this is usually meant to install a package from a package index other than the public one. However, if a package is added with the same name to the public PyPi repository, and if the version number is high enough, this package will be installed when building this docker image. This package may be a malicious dependency. Such an attack is called a dependency confusion attack. If using a private package index, prefer to use `--index-url` if possible. \\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url)\\n - [https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-extra-index-url](https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-extra-index-url)\\n - [https://github.com/semgrep/semgrep-rules/issues/3032](https://github.com/semgrep/semgrep-rules/issues/3032)\\n\",\"text\":\"When `--extra-index-url` is used in a `pip install` command, this is usually meant to install a package from a package index other than the public one. However, if a package is added with the same name to the public PyPi repository, and if the version number is high enough, this package will be installed when building this docker image. This package may be a malicious dependency. Such an attack is called a dependency confusion attack. If using a private package index, prefer to use `--index-url` if possible. \\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url\",\"id\":\"dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url\",\"name\":\"dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-427: Uncontrolled Search Path Element\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.\"},\"help\":{\"markdown\":\"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)\\n - [https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/](https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/)\\n - [https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html](https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html)\\n\",\"text\":\"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount\",\"id\":\"dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount\",\"name\":\"dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-269: Improper Privilege Management\",\"CWE-862: Missing Authorization\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The last user in the container is \u0027root\u0027. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as \u0027root\u0027.\"},\"help\":{\"markdown\":\"The last user in the container is \u0027root\u0027. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as \u0027root\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root)\\n - [https://github.com/hadolint/hadolint/wiki/DL3002](https://github.com/hadolint/hadolint/wiki/DL3002)\\n\",\"text\":\"The last user in the container is \u0027root\u0027. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as \u0027root\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root\",\"id\":\"dockerfile.security.last-user-is-root.last-user-is-root\",\"name\":\"dockerfile.security.last-user-is-root.last-user-is-root\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-269: Improper Privilege Management\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: dockerfile.security.last-user-is-root.last-user-is-root\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\"},\"help\":{\"markdown\":\"By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint\",\"id\":\"dockerfile.security.missing-user-entrypoint.missing-user-entrypoint\",\"name\":\"dockerfile.security.missing-user-entrypoint.missing-user-entrypoint\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-269: Improper Privilege Management\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\"},\"help\":{\"markdown\":\"By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user.missing-user)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"By not specifying a USER, a program in the container may run as \u0027root\u0027. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than \u0027root\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/dockerfile.security.missing-user.missing-user\",\"id\":\"dockerfile.security.missing-user.missing-user\",\"name\":\"dockerfile.security.missing-user.missing-user\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-250: Execution with Unnecessary Privileges\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: dockerfile.security.missing-user.missing-user\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.\"},\"help\":{\"markdown\":\"Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile)\\n - [https://cwe.mitre.org/data/definitions/250.html](https://cwe.mitre.org/data/definitions/250.html)\\n - [https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user)\\n\",\"text\":\"Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile\",\"id\":\"dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile\",\"name\":\"dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-250: Execution with Unnecessary Privileges\",\"HIGH CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Semgrep found a bash reverse shell\"},\"help\":{\"markdown\":\"Semgrep found a bash reverse shell\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Semgrep found a bash reverse shell\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell\",\"id\":\"generic.ci.security.bash-reverse-shell.bash_reverse_shell\",\"name\":\"generic.ci.security.bash-reverse-shell.bash_reverse_shell\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.ci.security.bash-reverse-shell.bash_reverse_shell\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., \u0027/\u0027). To fix, add a path separator to the end of the path.\"},\"help\":{\"markdown\":\"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., \u0027/\u0027). To fix, add a path separator to the end of the path.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n - [https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/)\\n - [https://www.youtube.com/watch?v=CIhHpkybYsY](https://www.youtube.com/watch?v=CIhHpkybYsY)\\n - [https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf](https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf)\\n\",\"text\":\"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., \u0027/\u0027). To fix, add a path separator to the end of the path.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal\",\"id\":\"generic.nginx.security.alias-path-traversal.alias-path-traversal\",\"name\":\"generic.nginx.security.alias-path-traversal.alias-path-traversal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.alias-path-traversal.alias-path-traversal\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with \u0027map\u0027 or something similar.\"},\"help\":{\"markdown\":\"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with \u0027map\u0027 or something similar.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host)\\n - [https://nginx.org/en/docs/http/ngx_http_map_module.html](https://nginx.org/en/docs/http/ngx_http_map_module.html)\\n\",\"text\":\"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with \u0027map\u0027 or something similar.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host\",\"id\":\"generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host\",\"name\":\"generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\"},\"help\":{\"markdown\":\"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme)\\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\\n\",\"text\":\"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme\",\"id\":\"generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme\",\"name\":\"generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-16: CWE CATEGORY: Configuration\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: \u0027[^\\\\s]+\u0027.\"},\"help\":{\"markdown\":\"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: \u0027[^\\\\s]+\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection)\\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md)\\n - [https://owasp.org/www-community/attacks/HTTP_Response_Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\\n\",\"text\":\"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: \u0027[^\\\\s]+\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection\",\"id\":\"generic.nginx.security.header-injection.header-injection\",\"name\":\"generic.nginx.security.header-injection.header-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.header-injection.header-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The \u0027add_header\u0027 directive is called in a \u0027location\u0027 block after headers have been set at the server block. Calling \u0027add_header\u0027 in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.\"},\"help\":{\"markdown\":\"The \u0027add_header\u0027 directive is called in a \u0027location\u0027 block after headers have been set at the server block. Calling \u0027add_header\u0027 in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-redefinition.header-redefinition)\\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md)\\n\",\"text\":\"The \u0027add_header\u0027 directive is called in a \u0027location\u0027 block after headers have been set at the server block. Calling \u0027add_header\u0027 in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.header-redefinition.header-redefinition\",\"id\":\"generic.nginx.security.header-redefinition.header-redefinition\",\"name\":\"generic.nginx.security.header-redefinition.header-redefinition\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-16: CWE CATEGORY: Configuration\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.header-redefinition.header-redefinition\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the \u0027https\u0027 scheme.\"},\"help\":{\"markdown\":\"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the \u0027https\u0027 scheme.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the \u0027https\u0027 scheme.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect\",\"id\":\"generic.nginx.security.insecure-redirect.insecure-redirect\",\"name\":\"generic.nginx.security.insecure-redirect.insecure-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.insecure-redirect.insecure-redirect\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\"},\"help\":{\"markdown\":\"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version)\\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\\n - [https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/](https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/)\\n\",\"text\":\"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version\",\"id\":\"generic.nginx.security.insecure-ssl-version.insecure-ssl-version\",\"name\":\"generic.nginx.security.insecure-ssl-version.insecure-ssl-version\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.insecure-ssl-version.insecure-ssl-version\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This location block contains a \u0027proxy_pass\u0027 directive but does not contain the \u0027internal\u0027 directive. The \u0027internal\u0027 directive restricts access to this location to internal requests. Without \u0027internal\u0027, an attacker could use your server for server-side request forgeries (SSRF). Include the \u0027internal\u0027 directive in this block to limit exposure.\"},\"help\":{\"markdown\":\"This location block contains a \u0027proxy_pass\u0027 directive but does not contain the \u0027internal\u0027 directive. The \u0027internal\u0027 directive restricts access to this location to internal requests. Without \u0027internal\u0027, an attacker could use your server for server-side request forgeries (SSRF). Include the \u0027internal\u0027 directive in this block to limit exposure.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal)\\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\\n - [https://nginx.org/en/docs/http/ngx_http_core_module.html#internal](https://nginx.org/en/docs/http/ngx_http_core_module.html#internal)\\n\",\"text\":\"This location block contains a \u0027proxy_pass\u0027 directive but does not contain the \u0027internal\u0027 directive. The \u0027internal\u0027 directive restricts access to this location to internal requests. Without \u0027internal\u0027, an attacker could use your server for server-side request forgeries (SSRF). Include the \u0027internal\u0027 directive in this block to limit exposure.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal\",\"id\":\"generic.nginx.security.missing-internal.missing-internal\",\"name\":\"generic.nginx.security.missing-internal.missing-internal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-16: CWE CATEGORY: Configuration\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.missing-internal.missing-internal\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This server configuration is missing the \u0027ssl_protocols\u0027 directive. By default, this server will use \u0027ssl_protocols TLSv1 TLSv1.1 TLSv1.2\u0027, and versions older than TLSv1.2 are known to be broken. Explicitly specify \u0027ssl_protocols TLSv1.2 TLSv1.3\u0027 to use secure TLS versions.\"},\"help\":{\"markdown\":\"This server configuration is missing the \u0027ssl_protocols\u0027 directive. By default, this server will use \u0027ssl_protocols TLSv1 TLSv1.1 TLSv1.2\u0027, and versions older than TLSv1.2 are known to be broken. Explicitly specify \u0027ssl_protocols TLSv1.2 TLSv1.3\u0027 to use secure TLS versions.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-ssl-version.missing-ssl-version)\\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\\n - [https://nginx.org/en/docs/http/configuring_https_servers.html](https://nginx.org/en/docs/http/configuring_https_servers.html)\\n\",\"text\":\"This server configuration is missing the \u0027ssl_protocols\u0027 directive. By default, this server will use \u0027ssl_protocols TLSv1 TLSv1.1 TLSv1.2\u0027, and versions older than TLSv1.2 are known to be broken. Explicitly specify \u0027ssl_protocols TLSv1.2 TLSv1.3\u0027 to use secure TLS versions.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.missing-ssl-version.missing-ssl-version\",\"id\":\"generic.nginx.security.missing-ssl-version.missing-ssl-version\",\"name\":\"generic.nginx.security.missing-ssl-version.missing-ssl-version\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.missing-ssl-version.missing-ssl-version\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\"},\"help\":{\"markdown\":\"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling)\\n - [https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c](https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c)\\n\",\"text\":\"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling\",\"id\":\"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling\",\"name\":\"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Amazon MWS Auth Token detected\"},\"help\":{\"markdown\":\"Amazon MWS Auth Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Amazon MWS Auth Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token\",\"id\":\"generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token\",\"name\":\"generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Artifactory token detected\"},\"help\":{\"markdown\":\"Artifactory token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-artifactory-password.detected-artifactory-password)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Artifactory token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-artifactory-password.detected-artifactory-password\",\"id\":\"generic.secrets.security.detected-artifactory-password.detected-artifactory-password\",\"name\":\"generic.secrets.security.detected-artifactory-password.detected-artifactory-password\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-artifactory-password.detected-artifactory-password\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Artifactory token detected\"},\"help\":{\"markdown\":\"Artifactory token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-artifactory-token.detected-artifactory-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Artifactory token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-artifactory-token.detected-artifactory-token\",\"id\":\"generic.secrets.security.detected-artifactory-token.detected-artifactory-token\",\"name\":\"generic.secrets.security.detected-artifactory-token.detected-artifactory-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-artifactory-token.detected-artifactory-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.\"},\"help\":{\"markdown\":\"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value\",\"id\":\"generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value\",\"name\":\"generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"AWS Account ID detected. While not considered sensitive information, it is important to use them and share them carefully. For that reason it would be preferrable avoiding to hardcoded it here. Instead, read the value from an environment variable or keep the value in a separate, private file.\"},\"help\":{\"markdown\":\"AWS Account ID detected. While not considered sensitive information, it is important to use them and share them carefully. For that reason it would be preferrable avoiding to hardcoded it here. Instead, read the value from an environment variable or keep the value in a separate, private file.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-account-id.detected-aws-account-id)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"AWS Account ID detected. While not considered sensitive information, it is important to use them and share them carefully. For that reason it would be preferrable avoiding to hardcoded it here. Instead, read the value from an environment variable or keep the value in a separate, private file.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-aws-account-id.detected-aws-account-id\",\"id\":\"generic.secrets.security.detected-aws-account-id.detected-aws-account-id\",\"name\":\"generic.secrets.security.detected-aws-account-id.detected-aws-account-id\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-aws-account-id.detected-aws-account-id\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"AWS AppSync GraphQL Key detected\"},\"help\":{\"markdown\":\"AWS AppSync GraphQL Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"AWS AppSync GraphQL Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key\",\"id\":\"generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key\",\"name\":\"generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"AWS Secret Access Key detected\"},\"help\":{\"markdown\":\"AWS Secret Access Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"AWS Secret Access Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key\",\"id\":\"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key\",\"name\":\"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"AWS Session Token detected\"},\"help\":{\"markdown\":\"AWS Session Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"AWS Session Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token\",\"id\":\"generic.secrets.security.detected-aws-session-token.detected-aws-session-token\",\"name\":\"generic.secrets.security.detected-aws-session-token.detected-aws-session-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-aws-session-token.detected-aws-session-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"bcrypt hash detected\"},\"help\":{\"markdown\":\"bcrypt hash detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"bcrypt hash detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash\",\"id\":\"generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash\",\"name\":\"generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"CodeClimate detected\"},\"help\":{\"markdown\":\"CodeClimate detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"CodeClimate detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate\",\"id\":\"generic.secrets.security.detected-codeclimate.detected-codeclimate\",\"name\":\"generic.secrets.security.detected-codeclimate.detected-codeclimate\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-codeclimate.detected-codeclimate\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"linux shadow file detected\"},\"help\":{\"markdown\":\"linux shadow file detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"linux shadow file detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow\",\"id\":\"generic.secrets.security.detected-etc-shadow.detected-etc-shadow\",\"name\":\"generic.secrets.security.detected-etc-shadow.detected-etc-shadow\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-etc-shadow.detected-etc-shadow\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Facebook Access Token detected\"},\"help\":{\"markdown\":\"Facebook Access Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Facebook Access Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token\",\"id\":\"generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token\",\"name\":\"generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Facebook OAuth detected\"},\"help\":{\"markdown\":\"Facebook OAuth detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Facebook OAuth detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth\",\"id\":\"generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth\",\"name\":\"generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Generic API Key detected\"},\"help\":{\"markdown\":\"Generic API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-api-key.detected-generic-api-key)\\n - [https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json](https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json)\\n\",\"text\":\"Generic API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-generic-api-key.detected-generic-api-key\",\"id\":\"generic.secrets.security.detected-generic-api-key.detected-generic-api-key\",\"name\":\"generic.secrets.security.detected-generic-api-key.detected-generic-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-generic-api-key.detected-generic-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Generic Secret detected\"},\"help\":{\"markdown\":\"Generic Secret detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Generic Secret detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret\",\"id\":\"generic.secrets.security.detected-generic-secret.detected-generic-secret\",\"name\":\"generic.secrets.security.detected-generic-secret.detected-generic-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-generic-secret.detected-generic-secret\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"GitHub Token detected\"},\"help\":{\"markdown\":\"GitHub Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-github-token.detected-github-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"GitHub Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-github-token.detected-github-token\",\"id\":\"generic.secrets.security.detected-github-token.detected-github-token\",\"name\":\"generic.secrets.security.detected-github-token.detected-github-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-github-token.detected-github-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Google OAuth Access Token detected\"},\"help\":{\"markdown\":\"Google OAuth Access Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Google OAuth Access Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token\",\"id\":\"generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token\",\"name\":\"generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Heroku API Key detected\"},\"help\":{\"markdown\":\"Heroku API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Heroku API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key\",\"id\":\"generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key\",\"name\":\"generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"HockeyApp detected\"},\"help\":{\"markdown\":\"HockeyApp detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-hockeyapp.detected-hockeyapp)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"HockeyApp detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-hockeyapp.detected-hockeyapp\",\"id\":\"generic.secrets.security.detected-hockeyapp.detected-hockeyapp\",\"name\":\"generic.secrets.security.detected-hockeyapp.detected-hockeyapp\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-hockeyapp.detected-hockeyapp\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"JWT token detected\"},\"help\":{\"markdown\":\"JWT token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token)\\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\\n\",\"text\":\"JWT token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token\",\"id\":\"generic.secrets.security.detected-jwt-token.detected-jwt-token\",\"name\":\"generic.secrets.security.detected-jwt-token.detected-jwt-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-321: Use of Hard-coded Cryptographic Key\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-jwt-token.detected-jwt-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Kolide API Key detected\"},\"help\":{\"markdown\":\"Kolide API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Kolide API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key\",\"id\":\"generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key\",\"name\":\"generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"MailChimp API Key detected\"},\"help\":{\"markdown\":\"MailChimp API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"MailChimp API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key\",\"id\":\"generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key\",\"name\":\"generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Mailgun API Key detected\"},\"help\":{\"markdown\":\"Mailgun API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Mailgun API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key\",\"id\":\"generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key\",\"name\":\"generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"NPM registry authentication token detected\"},\"help\":{\"markdown\":\"NPM registry authentication token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"NPM registry authentication token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token\",\"id\":\"generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token\",\"name\":\"generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Onfido live API Token detected\"},\"help\":{\"markdown\":\"Onfido live API Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token)\\n - [https://documentation.onfido.com/api/latest/#api-tokens](https://documentation.onfido.com/api/latest/#api-tokens)\\n\",\"text\":\"Onfido live API Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token\",\"id\":\"generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token\",\"name\":\"generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Outlook Team detected\"},\"help\":{\"markdown\":\"Outlook Team detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Outlook Team detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team\",\"id\":\"generic.secrets.security.detected-outlook-team.detected-outlook-team\",\"name\":\"generic.secrets.security.detected-outlook-team.detected-outlook-team\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-outlook-team.detected-outlook-team\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"PayPal Braintree Access Token detected\"},\"help\":{\"markdown\":\"PayPal Braintree Access Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"PayPal Braintree Access Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token\",\"id\":\"generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token\",\"name\":\"generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Something that looks like a PGP private key block is detected. This is a potential hardcoded secret that could be leaked if this code is committed. Instead, remove this code block from the commit.\"},\"help\":{\"markdown\":\"Something that looks like a PGP private key block is detected. This is a potential hardcoded secret that could be leaked if this code is committed. Instead, remove this code block from the commit.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Something that looks like a PGP private key block is detected. This is a potential hardcoded secret that could be leaked if this code is committed. Instead, remove this code block from the commit.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block\",\"id\":\"generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block\",\"name\":\"generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Picatic API Key detected\"},\"help\":{\"markdown\":\"Picatic API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Picatic API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key\",\"id\":\"generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key\",\"name\":\"generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\"},\"help\":{\"markdown\":\"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key\",\"id\":\"generic.secrets.security.detected-private-key.detected-private-key\",\"name\":\"generic.secrets.security.detected-private-key.detected-private-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-private-key.detected-private-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Sauce Token detected\"},\"help\":{\"markdown\":\"Sauce Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sauce-token.detected-sauce-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Sauce Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-sauce-token.detected-sauce-token\",\"id\":\"generic.secrets.security.detected-sauce-token.detected-sauce-token\",\"name\":\"generic.secrets.security.detected-sauce-token.detected-sauce-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-sauce-token.detected-sauce-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"SendGrid API Key detected\"},\"help\":{\"markdown\":\"SendGrid API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"SendGrid API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key\",\"id\":\"generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key\",\"name\":\"generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Slack Token detected\"},\"help\":{\"markdown\":\"Slack Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-slack-token.detected-slack-token)\\n - [https://github.com/davidburkitt/python-secret-scanner/blob/335a1f6dab8de59cf39063e57aea39a58951e939/patterns.txt#L58](https://github.com/davidburkitt/python-secret-scanner/blob/335a1f6dab8de59cf39063e57aea39a58951e939/patterns.txt#L58)\\n\",\"text\":\"Slack Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-slack-token.detected-slack-token\",\"id\":\"generic.secrets.security.detected-slack-token.detected-slack-token\",\"name\":\"generic.secrets.security.detected-slack-token.detected-slack-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-slack-token.detected-slack-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Slack Webhook detected\"},\"help\":{\"markdown\":\"Slack Webhook detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-slack-webhook.detected-slack-webhook)\\n - [https://api.slack.com/messaging/webhooks](https://api.slack.com/messaging/webhooks)\\n\",\"text\":\"Slack Webhook detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-slack-webhook.detected-slack-webhook\",\"id\":\"generic.secrets.security.detected-slack-webhook.detected-slack-webhook\",\"name\":\"generic.secrets.security.detected-slack-webhook.detected-slack-webhook\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-slack-webhook.detected-slack-webhook\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Snyk API Key detected\"},\"help\":{\"markdown\":\"Snyk API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Snyk API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key\",\"id\":\"generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key\",\"name\":\"generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"SoftLayer API Key detected\"},\"help\":{\"markdown\":\"SoftLayer API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"SoftLayer API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key\",\"id\":\"generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key\",\"name\":\"generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"SonarQube Docs API Key detected\"},\"help\":{\"markdown\":\"SonarQube Docs API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"SonarQube Docs API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key\",\"id\":\"generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key\",\"name\":\"generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Square Access Token detected\"},\"help\":{\"markdown\":\"Square Access Token detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-square-access-token.detected-square-access-token)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Square Access Token detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-square-access-token.detected-square-access-token\",\"id\":\"generic.secrets.security.detected-square-access-token.detected-square-access-token\",\"name\":\"generic.secrets.security.detected-square-access-token.detected-square-access-token\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-square-access-token.detected-square-access-token\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Square OAuth Secret detected\"},\"help\":{\"markdown\":\"Square OAuth Secret detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret)\\n - [https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py](https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py)\\n\",\"text\":\"Square OAuth Secret detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret\",\"id\":\"generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret\",\"name\":\"generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"SSH Password detected\"},\"help\":{\"markdown\":\"SSH Password detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-ssh-password.detected-ssh-password)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"SSH Password detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-ssh-password.detected-ssh-password\",\"id\":\"generic.secrets.security.detected-ssh-password.detected-ssh-password\",\"name\":\"generic.secrets.security.detected-ssh-password.detected-ssh-password\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-ssh-password.detected-ssh-password\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Stripe API Key detected\"},\"help\":{\"markdown\":\"Stripe API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Stripe API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key\",\"id\":\"generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key\",\"name\":\"generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Stripe Restricted API Key detected\"},\"help\":{\"markdown\":\"Stripe Restricted API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Stripe Restricted API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key\",\"id\":\"generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key\",\"name\":\"generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Telegram Bot API Key detected\"},\"help\":{\"markdown\":\"Telegram Bot API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Telegram Bot API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key\",\"id\":\"generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key\",\"name\":\"generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Twilio API Key detected\"},\"help\":{\"markdown\":\"Twilio API Key detected\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Twilio API Key detected\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key\",\"id\":\"generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key\",\"name\":\"generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detects potential Google Maps API keys in code\"},\"help\":{\"markdown\":\"Detects potential Google Maps API keys in code\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak)\\n - [https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e](https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e)\\n\",\"text\":\"Detects potential Google Maps API keys in code\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak\",\"id\":\"generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak\",\"name\":\"generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory\",\"MEDIUM CONFIDENCE\",\"OWASP-A3:2017 Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.\"},\"help\":{\"markdown\":\"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters)\\n - [https://trojansource.codes/](https://trojansource.codes/)\\n\",\"text\":\"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters\",\"id\":\"generic.unicode.security.bidi.contains-bidirectional-characters\",\"name\":\"generic.unicode.security.bidi.contains-bidirectional-characters\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.unicode.security.bidi.contains-bidirectional-characters\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your \u003cscript\u003e and \u003clink\u003e tags pointing to CDN content to ensure the resources have not been compromised. A crossorigin attribute should also be added. For a more thorough explanation along with explicit instructions on remediating, follow the directions from Mozilla here: https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/\"},\"help\":{\"markdown\":\"Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your \u003cscript\u003e and \u003clink\u003e tags pointing to CDN content to ensure the resources have not been compromised. A crossorigin attribute should also be added. For a more thorough explanation along with explicit instructions on remediating, follow the directions from Mozilla here: https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs)\\n - [https://cwe.mitre.org/data/definitions/352.html](https://cwe.mitre.org/data/definitions/352.html)\\n - [https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/](https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/)\\n\",\"text\":\"Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your \u003cscript\u003e and \u003clink\u003e tags pointing to CDN content to ensure the resources have not been compromised. A crossorigin attribute should also be added. For a more thorough explanation along with explicit instructions on remediating, follow the directions from Mozilla here: https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs\",\"id\":\"generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs\",\"name\":\"generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-346: Origin Validation Error\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\\\"true\\\" attribute on \u003capex:outputText\u003e tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.\"},\"help\":{\"markdown\":\"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\\\"true\\\" attribute on \u003capex:outputText\u003e tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param)\\n - [https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm](https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm)\\n\",\"text\":\"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\\\"true\\\" attribute on \u003capex:outputText\u003e tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param\",\"id\":\"generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param\",\"name\":\"generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Visualforce Pages must have the cspHeader attribute set to true. This attribute is available in API version 55 or higher.\"},\"help\":{\"markdown\":\"Visualforce Pages must have the cspHeader attribute set to true. This attribute is available in API version 55 or higher.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute)\\n - [https://help.salesforce.com/s/articleView?id=sf.csp_trusted_sites.htm\u0026type=5](https://help.salesforce.com/s/articleView?id=sf.csp_trusted_sites.htm\u0026type=5)\\n\",\"text\":\"Visualforce Pages must have the cspHeader attribute set to true. This attribute is available in API version 55 or higher.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute\",\"id\":\"generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute\",\"name\":\"generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Visualforce Pages must use API version 55 or higher for required use of the cspHeader attribute set to true.\"},\"help\":{\"markdown\":\"Visualforce Pages must use API version 55 or higher for required use of the cspHeader attribute set to true.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version)\\n - [https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_pages.htm](https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_pages.htm)\\n\",\"text\":\"Visualforce Pages must use API version 55 or higher for required use of the cspHeader attribute set to true.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version\",\"id\":\"generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version\",\"name\":\"generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.aws-lambda.security.database-sqli.database-sqli)\\n - [https://pkg.go.dev/database/sql#DB.Query](https://pkg.go.dev/database/sql#DB.Query)\\n\",\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.aws-lambda.security.database-sqli.database-sqli\",\"id\":\"go.aws-lambda.security.database-sqli.database-sqli\",\"name\":\"go.aws-lambda.security.database-sqli.database-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.aws-lambda.security.database-sqli.database-sqli\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\"},\"help\":{\"markdown\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.aws-lambda.security.tainted-sql-string.tainted-sql-string)\\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\\n\",\"text\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.aws-lambda.security.tainted-sql-string.tainted-sql-string\",\"id\":\"go.aws-lambda.security.tainted-sql-string.tainted-sql-string\",\"name\":\"go.aws-lambda.security.tainted-sql-string.tainted-sql-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.aws-lambda.security.tainted-sql-string.tainted-sql-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Options struct.\"},\"help\":{\"markdown\":\"A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Options struct.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly)\\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69)\\n\",\"text\":\"A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Options struct.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly\",\"id\":\"go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly\",\"name\":\"go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\"},\"help\":{\"markdown\":\"A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure)\\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69)\\n\",\"text\":\"A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure\",\"id\":\"go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure\",\"name\":\"go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.\"},\"help\":{\"markdown\":\"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone)\\n - [https://pkg.go.dev/github.com/gorilla/sessions#Options](https://pkg.go.dev/github.com/gorilla/sessions#Options)\\n\",\"text\":\"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone\",\"id\":\"go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone\",\"name\":\"go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1275: Sensitive Cookie with Improper SameSite Attribute\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \\\"gorilla/websocket\\\" documentation: \\\"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\\\"\"},\"help\":{\"markdown\":\"The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \\\"gorilla/websocket\\\" documentation: \\\"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\\\"\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check)\\n - [https://pkg.go.dev/github.com/gorilla/websocket#Upgrader](https://pkg.go.dev/github.com/gorilla/websocket#Upgrader)\\n\",\"text\":\"The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \\\"gorilla/websocket\\\" documentation: \\\"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\\\"\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check\",\"id\":\"go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check\",\"name\":\"go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-352: Cross-Site Request Forgery (CSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found an insecure gRPC connection using \u0027grpc.WithInsecure()\u0027. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the \u0027grpc.WithTransportCredentials()\u0027 function. You can create a create credentials using a \u0027tls.Config{}\u0027 struct with \u0027credentials.NewTLS()\u0027. The final fix looks like this: \u0027grpc.WithTransportCredentials(credentials.NewTLS(\u003cconfig\u003e))\u0027.\"},\"help\":{\"markdown\":\"Found an insecure gRPC connection using \u0027grpc.WithInsecure()\u0027. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the \u0027grpc.WithTransportCredentials()\u0027 function. You can create a create credentials using a \u0027tls.Config{}\u0027 struct with \u0027credentials.NewTLS()\u0027. The final fix looks like this: \u0027grpc.WithTransportCredentials(credentials.NewTLS(\u003cconfig\u003e))\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection)\\n - [https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption](https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption)\\n\",\"text\":\"Found an insecure gRPC connection using \u0027grpc.WithInsecure()\u0027. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the \u0027grpc.WithTransportCredentials()\u0027 function. You can create a create credentials using a \u0027tls.Config{}\u0027 struct with \u0027credentials.NewTLS()\u0027. The final fix looks like this: \u0027grpc.WithTransportCredentials(credentials.NewTLS(\u003cconfig\u003e))\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection\",\"id\":\"go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection\",\"name\":\"go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-300: Channel Accessible by Non-Endpoint\",\"HIGH CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found an insecure gRPC server without \u0027grpc.Creds()\u0027 or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using \u0027credentials.NewServerTLSFromFile(\\\"cert.pem\\\", \\\"cert.key\\\")\u0027.\"},\"help\":{\"markdown\":\"Found an insecure gRPC server without \u0027grpc.Creds()\u0027 or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using \u0027credentials.NewServerTLSFromFile(\\\"cert.pem\\\", \\\"cert.key\\\")\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection)\\n - [https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption](https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption)\\n\",\"text\":\"Found an insecure gRPC server without \u0027grpc.Creds()\u0027 or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using \u0027credentials.NewServerTLSFromFile(\\\"cert.pem\\\", \\\"cert.key\\\")\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection\",\"id\":\"go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection\",\"name\":\"go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-300: Channel Accessible by Non-Endpoint\",\"HIGH CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected the decoding of a JWT token without a verify step. Don\u0027t use `ParseUnverified` unless you know what you\u0027re doing This method parses the token but doesn\u0027t validate the signature. It\u0027s only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it.\"},\"help\":{\"markdown\":\"Detected the decoding of a JWT token without a verify step. Don\u0027t use `ParseUnverified` unless you know what you\u0027re doing This method parses the token but doesn\u0027t validate the signature. It\u0027s only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified)\\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\\n\",\"text\":\"Detected the decoding of a JWT token without a verify step. Don\u0027t use `ParseUnverified` unless you know what you\u0027re doing This method parses the token but doesn\u0027t validate the signature. It\u0027s only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified\",\"id\":\"go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified\",\"name\":\"go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-345: Insufficient Verification of Data Authenticity\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\"},\"help\":{\"markdown\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm\",\"id\":\"go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm\",\"name\":\"go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\"},\"help\":{\"markdown\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.jwt-go.security.jwt.hardcoded-jwt-key)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\\n\",\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.jwt-go.security.jwt.hardcoded-jwt-key\",\"id\":\"go.jwt-go.security.jwt.hardcoded-jwt-key\",\"name\":\"go.jwt-go.security.jwt.hardcoded-jwt-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.jwt-go.security.jwt.hardcoded-jwt-key\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The package `net/http/cgi` is on the import blocklist. The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` or a web framework to build a web application instead.\"},\"help\":{\"markdown\":\"The package `net/http/cgi` is on the import blocklist. The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` or a web framework to build a web application instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.bad_imports.insecure-module-used)\\n - [https://godoc.org/golang.org/x/crypto/sha3](https://godoc.org/golang.org/x/crypto/sha3)\\n\",\"text\":\"The package `net/http/cgi` is on the import blocklist. The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` or a web framework to build a web application instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.bad_imports.insecure-module-used\",\"id\":\"go.lang.security.audit.crypto.bad_imports.insecure-module-used\",\"name\":\"go.lang.security.audit.crypto.bad_imports.insecure-module-used\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.bad_imports.insecure-module-used\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Disabled host key verification detected. This allows man-in-the-middle attacks. Use the \u0027golang.org/x/crypto/ssh/knownhosts\u0027 package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it.\"},\"help\":{\"markdown\":\"Disabled host key verification detected. This allows man-in-the-middle attacks. Use the \u0027golang.org/x/crypto/ssh/knownhosts\u0027 package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key)\\n - [https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/](https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/)\\n - [https://gist.github.com/Skarlso/34321a230cf0245018288686c9e70b2d](https://gist.github.com/Skarlso/34321a230cf0245018288686c9e70b2d)\\n\",\"text\":\"Disabled host key verification detected. This allows man-in-the-middle attacks. Use the \u0027golang.org/x/crypto/ssh/knownhosts\u0027 package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key\",\"id\":\"go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key\",\"name\":\"go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-322: Key Exchange without Entity Authentication\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Do not use `math/rand`. Use `crypto/rand` instead.\"},\"help\":{\"markdown\":\"Do not use `math/rand`. Use `crypto/rand` instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation)\\n\",\"text\":\"Do not use `math/rand`. Use `crypto/rand` instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used\",\"id\":\"go.lang.security.audit.crypto.math_random.math-random-used\",\"name\":\"go.lang.security.audit.crypto.math_random.math-random-used\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.math_random.math-random-used\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"`MinVersion` is missing from this TLS configuration. By default, as of Go 1.22, TLS 1.2 is currently used as the minimum. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13\u0027 to the TLS configuration to bump the minimum version to TLS 1.3.\"},\"help\":{\"markdown\":\"`MinVersion` is missing from this TLS configuration. By default, as of Go 1.22, TLS 1.2 is currently used as the minimum. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13\u0027 to the TLS configuration to bump the minimum version to TLS 1.3.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion)\\n - [https://go.dev/doc/go1.22#minor_library_changes](https://go.dev/doc/go1.22#minor_library_changes)\\n - [https://pkg.go.dev/crypto/tls#:~:text=MinVersion](https://pkg.go.dev/crypto/tls#:~:text=MinVersion)\\n - [https://www.us-cert.gov/ncas/alerts/TA14-290A](https://www.us-cert.gov/ncas/alerts/TA14-290A)\\n\",\"text\":\"`MinVersion` is missing from this TLS configuration. By default, as of Go 1.22, TLS 1.2 is currently used as the minimum. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13\u0027 to the TLS configuration to bump the minimum version to TLS 1.3.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion\",\"id\":\"go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion\",\"name\":\"go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\"},\"help\":{\"markdown\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.sha224-hash.sha224-hash)\\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\\n\",\"text\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.sha224-hash.sha224-hash\",\"id\":\"go.lang.security.audit.crypto.sha224-hash.sha224-hash\",\"name\":\"go.lang.security.audit.crypto.sha224-hash.sha224-hash\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.sha224-hash.sha224-hash\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use \u0027tls.VersionTLS13\u0027.\"},\"help\":{\"markdown\":\"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use \u0027tls.VersionTLS13\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure)\\n - [https://golang.org/doc/go1.14#crypto/tls](https://golang.org/doc/go1.14#crypto/tls)\\n - [https://www.us-cert.gov/ncas/alerts/TA14-290A](https://www.us-cert.gov/ncas/alerts/TA14-290A)\\n\",\"text\":\"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use \u0027tls.VersionTLS13\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure\",\"id\":\"go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure\",\"name\":\"go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an insecure CipherSuite via the \u0027tls\u0027 module. This suite is considered weak. Use the function \u0027tls.CipherSuites()\u0027 to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.\"},\"help\":{\"markdown\":\"Detected an insecure CipherSuite via the \u0027tls\u0027 module. This suite is considered weak. Use the function \u0027tls.CipherSuites()\u0027 to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher)\\n - [https://golang.org/pkg/crypto/tls/#InsecureCipherSuites](https://golang.org/pkg/crypto/tls/#InsecureCipherSuites)\\n\",\"text\":\"Detected an insecure CipherSuite via the \u0027tls\u0027 module. This suite is considered weak. Use the function \u0027tls.CipherSuites()\u0027 to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher\",\"id\":\"go.lang.security.audit.crypto.tls.tls-with-insecure-cipher\",\"name\":\"go.lang.security.audit.crypto.tls.tls-with-insecure-cipher\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.tls.tls-with-insecure-cipher\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead.\"},\"help\":{\"markdown\":\"Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES\",\"id\":\"go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES\",\"name\":\"go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\"},\"help\":{\"markdown\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5\",\"id\":\"go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5\",\"name\":\"go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead.\"},\"help\":{\"markdown\":\"Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4\",\"id\":\"go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4\",\"name\":\"go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\"},\"help\":{\"markdown\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1\",\"id\":\"go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1\",\"name\":\"go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"RSA keys should be at least 2048 bits\"},\"help\":{\"markdown\":\"RSA keys should be at least 2048 bits\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\\n\",\"text\":\"RSA keys should be at least 2048 bits\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key\",\"id\":\"go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key\",\"name\":\"go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected non-static command inside Write. Audit the input to \u0027$CW.Write\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\"},\"help\":{\"markdown\":\"Detected non-static command inside Write. Audit the input to \u0027$CW.Write\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected non-static command inside Write. Audit the input to \u0027$CW.Write\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write\",\"id\":\"go.lang.security.audit.dangerous-command-write.dangerous-command-write\",\"name\":\"go.lang.security.audit.dangerous-command-write.dangerous-command-write\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.dangerous-command-write.dangerous-command-write\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected non-static command inside exec.Cmd. Audit the input to \u0027exec.Cmd\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\"},\"help\":{\"markdown\":\"Detected non-static command inside exec.Cmd. Audit the input to \u0027exec.Cmd\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected non-static command inside exec.Cmd. Audit the input to \u0027exec.Cmd\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd\",\"id\":\"go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd\",\"name\":\"go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected non-static command inside Command. Audit the input to \u0027exec.Command\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\"},\"help\":{\"markdown\":\"Detected non-static command inside Command. Audit the input to \u0027exec.Command\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-command.dangerous-exec-command)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected non-static command inside Command. Audit the input to \u0027exec.Command\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-command.dangerous-exec-command\",\"id\":\"go.lang.security.audit.dangerous-exec-command.dangerous-exec-command\",\"name\":\"go.lang.security.audit.dangerous-exec-command.dangerous-exec-command\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.dangerous-exec-command.dangerous-exec-command\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected non-static command inside Exec. Audit the input to \u0027syscall.Exec\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\"},\"help\":{\"markdown\":\"Detected non-static command inside Exec. Audit the input to \u0027syscall.Exec\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected non-static command inside Exec. Audit the input to \u0027syscall.Exec\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec\",\"id\":\"go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec\",\"name\":\"go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"String-formatted SQL query detected. This could lead to SQL injection if the string is not sanitized properly. Audit this call to ensure the SQL is not manipulable by external data.\"},\"help\":{\"markdown\":\"String-formatted SQL query detected. This could lead to SQL injection if the string is not sanitized properly. Audit this call to ensure the SQL is not manipulable by external data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.database.string-formatted-query.string-formatted-query)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"String-formatted SQL query detected. This could lead to SQL injection if the string is not sanitized properly. Audit this call to ensure the SQL is not manipulable by external data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.database.string-formatted-query.string-formatted-query\",\"id\":\"go.lang.security.audit.database.string-formatted-query.string-formatted-query\",\"name\":\"go.lang.security.audit.database.string-formatted-query.string-formatted-query\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.database.string-formatted-query.string-formatted-query\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package.\"},\"help\":{\"markdown\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.md5-used-as-password.md5-used-as-password)\\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\\n - [https://pkg.go.dev/golang.org/x/crypto/bcrypt](https://pkg.go.dev/golang.org/x/crypto/bcrypt)\\n\",\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"id\":\"go.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"name\":\"go.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.md5-used-as-password.md5-used-as-password\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\"},\"help\":{\"markdown\":\"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces\",\"id\":\"go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces\",\"name\":\"go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\",\"HIGH CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Cookie.\"},\"help\":{\"markdown\":\"A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Cookie.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly)\\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go)\\n - [https://golang.org/src/net/http/cookie.go](https://golang.org/src/net/http/cookie.go)\\n\",\"text\":\"A session cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the \u0027HttpOnly\u0027 flag by setting \u0027HttpOnly\u0027 to \u0027true\u0027 in the Cookie.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly\",\"id\":\"go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly\",\"name\":\"go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\"},\"help\":{\"markdown\":\"A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure)\\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go)\\n - [https://golang.org/src/net/http/cookie.go](https://golang.org/src/net/http/cookie.go)\\n\",\"text\":\"A session cookie was detected without setting the \u0027Secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027Secure\u0027 flag by setting \u0027Secure\u0027 to \u0027true\u0027 in the Options struct.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure\",\"id\":\"go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure\",\"name\":\"go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for \u0027$TRACE\u0027. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\"},\"help\":{\"markdown\":\"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for \u0027$TRACE\u0027. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace)\\n - [https://github.com/returntocorp/semgrep-rules/issues/518](https://github.com/returntocorp/semgrep-rules/issues/518)\\n\",\"text\":\"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for \u0027$TRACE\u0027. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace\",\"id\":\"go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace\",\"name\":\"go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-913: Improper Control of Dynamically-Managed Code Resources\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found a formatted template string passed to \u0027template.HTML()\u0027. \u0027template.HTML()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\"},\"help\":{\"markdown\":\"Found a formatted template string passed to \u0027template.HTML()\u0027. \u0027template.HTML()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string)\\n - [https://golang.org/pkg/html/template/#HTML](https://golang.org/pkg/html/template/#HTML)\\n\",\"text\":\"Found a formatted template string passed to \u0027template.HTML()\u0027. \u0027template.HTML()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string\",\"id\":\"go.lang.security.audit.net.formatted-template-string.formatted-template-string\",\"name\":\"go.lang.security.audit.net.formatted-template-string.formatted-template-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.formatted-template-string.formatted-template-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The profiling \u0027pprof\u0027 endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import \\\"net/http/pprof\\\"`. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation.\"},\"help\":{\"markdown\":\"The profiling \u0027pprof\u0027 endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import \\\"net/http/pprof\\\"`. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.pprof.pprof-debug-exposure)\\n - [https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/](https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/)\\n\",\"text\":\"The profiling \u0027pprof\u0027 endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import \\\"net/http/pprof\\\"`. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.pprof.pprof-debug-exposure\",\"id\":\"go.lang.security.audit.net.pprof.pprof-debug-exposure\",\"name\":\"go.lang.security.audit.net.pprof.pprof-debug-exposure\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-489: Active Debug Code\",\"LOW CONFIDENCE\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.pprof.pprof-debug-exposure\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found a formatted template string passed to \u0027template. HTMLAttr()\u0027. \u0027template.HTMLAttr()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template or validate and sanitize the data before passing it into the template.\"},\"help\":{\"markdown\":\"Found a formatted template string passed to \u0027template. HTMLAttr()\u0027. \u0027template.HTMLAttr()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template or validate and sanitize the data before passing it into the template.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr)\\n - [https://golang.org/pkg/html/template/#HTMLAttr](https://golang.org/pkg/html/template/#HTMLAttr)\\n\",\"text\":\"Found a formatted template string passed to \u0027template. HTMLAttr()\u0027. \u0027template.HTMLAttr()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template or validate and sanitize the data before passing it into the template.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr\",\"id\":\"go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr\",\"name\":\"go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found a formatted template string passed to \u0027template.JS()\u0027. \u0027template.JS()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template.\"},\"help\":{\"markdown\":\"Found a formatted template string passed to \u0027template.JS()\u0027. \u0027template.JS()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js)\\n - [https://golang.org/pkg/html/template/#JS](https://golang.org/pkg/html/template/#JS)\\n\",\"text\":\"Found a formatted template string passed to \u0027template.JS()\u0027. \u0027template.JS()\u0027 does not escape contents. Be absolutely sure there is no user-controlled data in this template.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js\",\"id\":\"go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js\",\"name\":\"go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found a formatted template string passed to \u0027template.URL()\u0027. \u0027template.URL()\u0027 does not escape contents, and this could result in XSS (cross-site scripting) and therefore confidential data being stolen. Sanitize data coming into this function or make sure that no user-controlled input is coming into the function.\"},\"help\":{\"markdown\":\"Found a formatted template string passed to \u0027template.URL()\u0027. \u0027template.URL()\u0027 does not escape contents, and this could result in XSS (cross-site scripting) and therefore confidential data being stolen. Sanitize data coming into this function or make sure that no user-controlled input is coming into the function.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url)\\n - [https://golang.org/pkg/html/template/#URL](https://golang.org/pkg/html/template/#URL)\\n\",\"text\":\"Found a formatted template string passed to \u0027template.URL()\u0027. \u0027template.URL()\u0027 does not escape contents, and this could result in XSS (cross-site scripting) and therefore confidential data being stolen. Sanitize data coming into this function or make sure that no user-controlled input is coming into the function.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url\",\"id\":\"go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url\",\"name\":\"go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found an HTTP server without TLS. Use \u0027http.ListenAndServeTLS\u0027 instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\"},\"help\":{\"markdown\":\"Found an HTTP server without TLS. Use \u0027http.ListenAndServeTLS\u0027 instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls)\\n - [https://golang.org/pkg/net/http/#ListenAndServeTLS](https://golang.org/pkg/net/http/#ListenAndServeTLS)\\n\",\"text\":\"Found an HTTP server without TLS. Use \u0027http.ListenAndServeTLS\u0027 instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls\",\"id\":\"go.lang.security.audit.net.use-tls.use-tls\",\"name\":\"go.lang.security.audit.net.use-tls.use-tls\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.use-tls.use-tls\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped.\"},\"help\":{\"markdown\":\"Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf\",\"id\":\"go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf\",\"name\":\"go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"\u0027reflect.MakeFunc\u0027 detected. This will sidestep protections that are normally afforded by Go\u0027s type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability.\"},\"help\":{\"markdown\":\"\u0027reflect.MakeFunc\u0027 detected. This will sidestep protections that are normally afforded by Go\u0027s type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.reflect-makefunc.reflect-makefunc)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"\u0027reflect.MakeFunc\u0027 detected. This will sidestep protections that are normally afforded by Go\u0027s type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.reflect-makefunc.reflect-makefunc\",\"id\":\"go.lang.security.audit.reflect-makefunc.reflect-makefunc\",\"name\":\"go.lang.security.audit.reflect-makefunc.reflect-makefunc\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-913: Improper Control of Dynamically-Managed Code Resources\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.reflect-makefunc.reflect-makefunc\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a \\\"database/sql\\\" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a \\\"database/sql\\\" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.gosql-sqli.gosql-sqli)\\n - [https://golang.org/pkg/database/sql/](https://golang.org/pkg/database/sql/)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a \\\"database/sql\\\" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the \u0027Prepare\u0027 and \u0027PrepareContext\u0027 calls.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.sqli.gosql-sqli.gosql-sqli\",\"id\":\"go.lang.security.audit.sqli.gosql-sqli.gosql-sqli\",\"name\":\"go.lang.security.audit.sqli.gosql-sqli.gosql-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.sqli.gosql-sqli.gosql-sqli\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a go-pg ORM SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, do not use strings concatenated with user-controlled input. Instead, use parameterized statements.\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a go-pg ORM SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, do not use strings concatenated with user-controlled input. Instead, use parameterized statements.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli)\\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a go-pg ORM SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, do not use strings concatenated with user-controlled input. Instead, use parameterized statements.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli\",\"id\":\"go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli\",\"name\":\"go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: \u0027(SELECT ? FROM table, data1)\u0027\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: \u0027(SELECT ? FROM table, data1)\u0027\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli)\\n - [https://pg.uptrace.dev/](https://pg.uptrace.dev/)\\n - [https://pkg.go.dev/github.com/go-pg/pg/v10](https://pkg.go.dev/github.com/go-pg/pg/v10)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: \u0027(SELECT ? FROM table, data1)\u0027\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli\",\"id\":\"go.lang.security.audit.sqli.pg-sqli.pg-sqli\",\"name\":\"go.lang.security.audit.sqli.pg-sqli.pg-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.sqli.pg-sqli.pg-sqli\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli)\\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli\",\"id\":\"go.lang.security.audit.sqli.pgx-sqli.pgx-sqli\",\"name\":\"go.lang.security.audit.sqli.pgx-sqli.pgx-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.sqli.pgx-sqli.pgx-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If an attacker can supply values that the application then uses to determine which method or field to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\"},\"help\":{\"markdown\":\"If an attacker can supply values that the application then uses to determine which method or field to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"If an attacker can supply values that the application then uses to determine which method or field to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name\",\"id\":\"go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name\",\"name\":\"go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"When working with web applications that involve rendering user-generated content, it\u0027s important to properly escape any HTML content to prevent Cross-Site Scripting (XSS) attacks. In Go, the `text/template` package does not automatically escape HTML content, which can leave your application vulnerable to these types of attacks. To mitigate this risk, it\u0027s recommended to use the `html/template` package instead, which provides built-in functionality for HTML escaping. By using `html/template` to render your HTML content, you can help to ensure that your web application is more secure and less susceptible to XSS vulnerabilities.\"},\"help\":{\"markdown\":\"When working with web applications that involve rendering user-generated content, it\u0027s important to properly escape any HTML content to prevent Cross-Site Scripting (XSS) attacks. In Go, the `text/template` package does not automatically escape HTML content, which can leave your application vulnerable to these types of attacks. To mitigate this risk, it\u0027s recommended to use the `html/template` package instead, which provides built-in functionality for HTML escaping. By using `html/template` to render your HTML content, you can help to ensure that your web application is more secure and less susceptible to XSS vulnerabilities.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.import-text-template.import-text-template)\\n - [https://www.veracode.com/blog/secure-development/use-golang-these-mistakes-could-compromise-your-apps-security](https://www.veracode.com/blog/secure-development/use-golang-these-mistakes-could-compromise-your-apps-security)\\n\",\"text\":\"When working with web applications that involve rendering user-generated content, it\u0027s important to properly escape any HTML content to prevent Cross-Site Scripting (XSS) attacks. In Go, the `text/template` package does not automatically escape HTML content, which can leave your application vulnerable to these types of attacks. To mitigate this risk, it\u0027s recommended to use the `html/template` package instead, which provides built-in functionality for HTML escaping. By using `html/template` to render your HTML content, you can help to ensure that your web application is more secure and less susceptible to XSS vulnerabilities.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.xss.import-text-template.import-text-template\",\"id\":\"go.lang.security.audit.xss.import-text-template.import-text-template\",\"name\":\"go.lang.security.audit.xss.import-text-template.import-text-template\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.xss.import-text-template.import-text-template\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected directly writing or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package and render data using \u0027template.Execute()\u0027.\"},\"help\":{\"markdown\":\"Detected directly writing or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package and render data using \u0027template.Execute()\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter)\\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\\n\",\"text\":\"Detected directly writing or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package and render data using \u0027template.Execute()\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter\",\"id\":\"go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter\",\"name\":\"go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected \u0027Fprintf\u0027 or similar writing to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\"},\"help\":{\"markdown\":\"Detected \u0027Fprintf\u0027 or similar writing to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter)\\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\\n\",\"text\":\"Detected \u0027Fprintf\u0027 or similar writing to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter\",\"id\":\"go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter\",\"name\":\"go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected template variable interpolation in an HTML tag. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over HTML but without the need to use escaped characters. Use explicit tags instead.\"},\"help\":{\"markdown\":\"Detected template variable interpolation in an HTML tag. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over HTML but without the need to use escaped characters. Use explicit tags instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag)\\n - [https://github.com/golang/go/issues/19669](https://github.com/golang/go/issues/19669)\\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\\n\",\"text\":\"Detected template variable interpolation in an HTML tag. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over HTML but without the need to use escaped characters. Use explicit tags instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag\",\"id\":\"go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag\",\"name\":\"go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped.\"},\"help\":{\"markdown\":\"Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string)\\n - [https://github.com/golang/go/issues/9200#issuecomment-66100328](https://github.com/golang/go/issues/9200#issuecomment-66100328)\\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\\n\",\"text\":\"Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string\",\"id\":\"go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string\",\"name\":\"go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected \u0027io.WriteString()\u0027 writing directly to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\"},\"help\":{\"markdown\":\"Detected \u0027io.WriteString()\u0027 writing directly to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter)\\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\\n - [https://golang.org/pkg/io/#WriteString](https://golang.org/pkg/io/#WriteString)\\n\",\"text\":\"Detected \u0027io.WriteString()\u0027 writing directly to \u0027http.ResponseWriter\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter\",\"id\":\"go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter\",\"name\":\"go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected \u0027printf\u0027 or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\"},\"help\":{\"markdown\":\"Detected \u0027printf\u0027 or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter)\\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\\n\",\"text\":\"Detected \u0027printf\u0027 or similar in \u0027http.ResponseWriter.write()\u0027. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the \u0027html/template\u0027 package to render data to users.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter\",\"id\":\"go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter\",\"name\":\"go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Semgrep could not determine that the argument to \u0027template.HTML()\u0027 is a constant. \u0027template.HTML()\u0027 and similar does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability. Instead, do not use this function and use \u0027template.Execute()\u0027.\"},\"help\":{\"markdown\":\"Semgrep could not determine that the argument to \u0027template.HTML()\u0027 is a constant. \u0027template.HTML()\u0027 and similar does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability. Instead, do not use this function and use \u0027template.Execute()\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type)\\n - [https://golang.org/pkg/html/template/#HTML](https://golang.org/pkg/html/template/#HTML)\\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/vulnerability/xss/xss.go#L33](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/vulnerability/xss/xss.go#L33)\\n\",\"text\":\"Semgrep could not determine that the argument to \u0027template.HTML()\u0027 is a constant. \u0027template.HTML()\u0027 and similar does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability. Instead, do not use this function and use \u0027template.Execute()\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type\",\"id\":\"go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type\",\"name\":\"go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"File creation in shared tmp directory without using `io.CreateTemp`.\"},\"help\":{\"markdown\":\"File creation in shared tmp directory without using `io.CreateTemp`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.bad_tmp.bad-tmp-file-creation)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n - [https://pkg.go.dev/io/ioutil#TempFile](https://pkg.go.dev/io/ioutil#TempFile)\\n - [https://pkg.go.dev/os#CreateTemp](https://pkg.go.dev/os#CreateTemp)\\n - [https://github.com/securego/gosec/blob/5fd2a370447223541cddb35da8d1bc707b7bb153/rules/tempfiles.go#L67](https://github.com/securego/gosec/blob/5fd2a370447223541cddb35da8d1bc707b7bb153/rules/tempfiles.go#L67)\\n\",\"text\":\"File creation in shared tmp directory without using `io.CreateTemp`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.bad_tmp.bad-tmp-file-creation\",\"id\":\"go.lang.security.bad_tmp.bad-tmp-file-creation\",\"name\":\"go.lang.security.bad_tmp.bad-tmp-file-creation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-377: Insecure Temporary File\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.bad_tmp.bad-tmp-file-creation\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a possible denial-of-service via a zip bomb attack. By limiting the max bytes read, you can mitigate this attack. `io.CopyN()` can specify a size. \"},\"help\":{\"markdown\":\"Detected a possible denial-of-service via a zip bomb attack. By limiting the max bytes read, you can mitigate this attack. `io.CopyN()` can specify a size. \\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb)\\n - [https://golang.org/pkg/io/#CopyN](https://golang.org/pkg/io/#CopyN)\\n - [https://github.com/securego/gosec/blob/master/rules/decompression-bomb.go](https://github.com/securego/gosec/blob/master/rules/decompression-bomb.go)\\n\",\"text\":\"Detected a possible denial-of-service via a zip bomb attack. By limiting the max bytes read, you can mitigate this attack. `io.CopyN()` can specify a size. \\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb\",\"id\":\"go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb\",\"name\":\"go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-400: Uncontrolled Resource Consumption\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"`Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: `filepath.FromSlash(path.Clean(\\\"/\\\"+strings.Trim(req.URL.Path, \\\"/\\\")))` However, a better solution is using the `SecureJoin` function in the package `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme.\"},\"help\":{\"markdown\":\"`Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: `filepath.FromSlash(path.Clean(\\\"/\\\"+strings.Trim(req.URL.Path, \\\"/\\\")))` However, a better solution is using the `SecureJoin` function in the package `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.filepath-clean-misuse.filepath-clean-misuse)\\n - [https://pkg.go.dev/path#Clean](https://pkg.go.dev/path#Clean)\\n - [http://technosophos.com/2016/03/31/go-quickly-cleaning-filepaths.html](http://technosophos.com/2016/03/31/go-quickly-cleaning-filepaths.html)\\n - [https://labs.detectify.com/2021/12/15/zero-day-path-traversal-grafana/](https://labs.detectify.com/2021/12/15/zero-day-path-traversal-grafana/)\\n - [https://dzx.cz/2021/04/02/go_path_traversal/](https://dzx.cz/2021/04/02/go_path_traversal/)\\n - [https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme](https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme)\\n\",\"text\":\"`Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: `filepath.FromSlash(path.Clean(\\\"/\\\"+strings.Trim(req.URL.Path, \\\"/\\\")))` However, a better solution is using the `SecureJoin` function in the package `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.filepath-clean-misuse.filepath-clean-misuse\",\"id\":\"go.lang.security.filepath-clean-misuse.filepath-clean-misuse\",\"name\":\"go.lang.security.filepath-clean-misuse.filepath-clean-misuse\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.filepath-clean-misuse.filepath-clean-misuse\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"An HTTP redirect was found to be crafted from user-input `$REQUEST`. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist.\"},\"help\":{\"markdown\":\"An HTTP redirect was found to be crafted from user-input `$REQUEST`. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.open-redirect.open-redirect)\\n - [https://knowledge-base.secureflag.com/vulnerabilities/unvalidated_redirects___forwards/open_redirect_go_lang.html](https://knowledge-base.secureflag.com/vulnerabilities/unvalidated_redirects___forwards/open_redirect_go_lang.html)\\n\",\"text\":\"An HTTP redirect was found to be crafted from user-input `$REQUEST`. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.injection.open-redirect.open-redirect\",\"id\":\"go.lang.security.injection.open-redirect.open-redirect\",\"name\":\"go.lang.security.injection.open-redirect.open-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.injection.open-redirect.open-redirect\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely.\"},\"help\":{\"markdown\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.raw-html-format.raw-html-format)\\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\\n\",\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.injection.raw-html-format.raw-html-format\",\"id\":\"go.lang.security.injection.raw-html-format.raw-html-format\",\"name\":\"go.lang.security.injection.raw-html-format.raw-html-format\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.injection.raw-html-format.raw-html-format\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\\\"SELECT * FROM t WHERE id = ?\\\", id)`) or a safe library.\"},\"help\":{\"markdown\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\\\"SELECT * FROM t WHERE id = ?\\\", id)`) or a safe library.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.tainted-sql-string.tainted-sql-string)\\n - [https://golang.org/doc/database/sql-injection](https://golang.org/doc/database/sql-injection)\\n - [https://www.stackhawk.com/blog/golang-sql-injection-guide-examples-and-prevention/](https://www.stackhawk.com/blog/golang-sql-injection-guide-examples-and-prevention/)\\n\",\"text\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\\\"SELECT * FROM t WHERE id = ?\\\", id)`) or a safe library.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.injection.tainted-sql-string.tainted-sql-string\",\"id\":\"go.lang.security.injection.tainted-sql-string.tainted-sql-string\",\"name\":\"go.lang.security.injection.tainted-sql-string.tainted-sql-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.injection.tainted-sql-string.tainted-sql-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist.\"},\"help\":{\"markdown\":\"A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.tainted-url-host.tainted-url-host)\\n - [https://goteleport.com/blog/ssrf-attacks/](https://goteleport.com/blog/ssrf-attacks/)\\n\",\"text\":\"A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.injection.tainted-url-host.tainted-url-host\",\"id\":\"go.lang.security.injection.tainted-url-host.tainted-url-host\",\"name\":\"go.lang.security.injection.tainted-url-host.tainted-url-host\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"HIGH CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.injection.tainted-url-host.tainted-url-host\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"ReverseProxy can remove headers added by Director. Consider using ReverseProxy.Rewrite instead of ReverseProxy.Director.\"},\"help\":{\"markdown\":\"ReverseProxy can remove headers added by Director. Consider using ReverseProxy.Rewrite instead of ReverseProxy.Director.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.reverseproxy-director.reverseproxy-director)\\n - [https://github.com/golang/go/issues/50580](https://github.com/golang/go/issues/50580)\\n\",\"text\":\"ReverseProxy can remove headers added by Director. Consider using ReverseProxy.Rewrite instead of ReverseProxy.Director.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.reverseproxy-director.reverseproxy-director\",\"id\":\"go.lang.security.reverseproxy-director.reverseproxy-director\",\"name\":\"go.lang.security.reverseproxy-director.reverseproxy-director\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-115: Misinterpretation of Input\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.reverseproxy-director.reverseproxy-director\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"File traversal when extracting zip archive\"},\"help\":{\"markdown\":\"File traversal when extracting zip archive\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.zip.path-traversal-inside-zip-extraction)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"File traversal when extracting zip archive\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.lang.security.zip.path-traversal-inside-zip-extraction\",\"id\":\"go.lang.security.zip.path-traversal-inside-zip-extraction\",\"name\":\"go.lang.security.zip.path-traversal-inside-zip-extraction\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.lang.security.zip.path-traversal-inside-zip-extraction\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected non-static script inside otto VM. Audit the input to \u0027VM.Run\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\"},\"help\":{\"markdown\":\"Detected non-static script inside otto VM. Audit the input to \u0027VM.Run\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/go.otto.security.audit.dangerous-execution.dangerous-execution)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected non-static script inside otto VM. Audit the input to \u0027VM.Run\u0027. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/go.otto.security.audit.dangerous-execution.dangerous-execution\",\"id\":\"go.otto.security.audit.dangerous-execution.dangerous-execution\",\"name\":\"go.otto.security.audit.dangerous-execution.dangerous-execution\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: go.otto.security.audit.dangerous-execution.dangerous-execution\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This tag is missing an \u0027integrity\u0027 subresource integrity attribute. The \u0027integrity\u0027 attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you\u2019re telling the browser to fetch in the \u0027integrity\u0027 attribute for all externally hosted files.\"},\"help\":{\"markdown\":\"This tag is missing an \u0027integrity\u0027 subresource integrity attribute. The \u0027integrity\u0027 attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you\u2019re telling the browser to fetch in the \u0027integrity\u0027 attribute for all externally hosted files.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity)\\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\\n\",\"text\":\"This tag is missing an \u0027integrity\u0027 subresource integrity attribute. The \u0027integrity\u0027 attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you\u2019re telling the browser to fetch in the \u0027integrity\u0027 attribute for all externally hosted files.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity\",\"id\":\"html.security.audit.missing-integrity.missing-integrity\",\"name\":\"html.security.audit.missing-integrity.missing-integrity\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-353: Missing Support for Integrity Check\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: html.security.audit.missing-integrity.missing-integrity\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.\"},\"help\":{\"markdown\":\"This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/html.security.plaintext-http-link.plaintext-http-link)\\n - [https://cwe.mitre.org/data/definitions/319.html](https://cwe.mitre.org/data/definitions/319.html)\\n\",\"text\":\"This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/html.security.plaintext-http-link.plaintext-http-link\",\"id\":\"html.security.plaintext-http-link.plaintext-http-link\",\"name\":\"html.security.plaintext-http-link.plaintext-http-link\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: html.security.plaintext-http-link.plaintext-http-link\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application\u0027s control plane.\"},\"help\":{\"markdown\":\"The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application\u0027s control plane.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.android.security.exported_activity.exported_activity)\\n - [https://cwe.mitre.org/data/definitions/926.html](https://cwe.mitre.org/data/definitions/926.html)\\n\",\"text\":\"The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application\u0027s control plane.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.android.security.exported_activity.exported_activity\",\"id\":\"java.android.security.exported_activity.exported_activity\",\"name\":\"java.android.security.exported_activity.exported_activity\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-926: Improper Export of Android Application Components\",\"MEDIUM CONFIDENCE\",\"OWASP-A5:2021 Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.android.security.exported_activity.exported_activity\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\"},\"help\":{\"markdown\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string)\\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\\n\",\"text\":\"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string\",\"id\":\"java.aws-lambda.security.tainted-sql-string.tainted-sql-string\",\"name\":\"java.aws-lambda.security.tainted-sql-string.tainted-sql-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.aws-lambda.security.tainted-sql-string.tainted-sql-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sqli.tainted-sqli)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.aws-lambda.security.tainted-sqli.tainted-sqli\",\"id\":\"java.aws-lambda.security.tainted-sqli.tainted-sqli\",\"name\":\"java.aws-lambda.security.tainted-sqli.tainted-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.aws-lambda.security.tainted-sqli.tainted-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\"},\"help\":{\"markdown\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify)\\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\\n\",\"text\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify\",\"id\":\"java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify\",\"name\":\"java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-345: Insufficient Verification of Data Authenticity\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\"},\"help\":{\"markdown\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\\n\",\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret\",\"id\":\"java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret\",\"name\":\"java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"HIGH CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\"},\"help\":{\"markdown\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg\",\"id\":\"java.java-jwt.security.jwt-none-alg.java-jwt-none-alg\",\"name\":\"java.java-jwt.security.jwt-none-alg.java-jwt-none-alg\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.java-jwt.security.jwt-none-alg.java-jwt-none-alg\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\"},\"help\":{\"markdown\":\"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal)\\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\\n\",\"text\":\"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal\",\"id\":\"java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal\",\"name\":\"java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\"},\"help\":{\"markdown\":\"Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.jboss.security.seam-log-injection.seam-log-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.jboss.security.seam-log-injection.seam-log-injection\",\"id\":\"java.jboss.security.seam-log-injection.seam-log-injection\",\"name\":\"java.jboss.security.seam-log-injection.seam-log-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.jboss.security.seam-log-injection.seam-log-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"In $METHOD, $X is used to construct a SQL query via string concatenation.\"},\"help\":{\"markdown\":\"In $METHOD, $X is used to construct a SQL query via string concatenation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"In $METHOD, $X is used to construct a SQL query via string concatenation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation\",\"id\":\"java.jboss.security.session_sqli.find-sql-string-concatenation\",\"name\":\"java.jboss.security.session_sqli.find-sql-string-concatenation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.jboss.security.session_sqli.find-sql-string-concatenation\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\"},\"help\":{\"markdown\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg\",\"id\":\"java.jjwt.security.jwt-none-alg.jjwt-none-alg\",\"name\":\"java.jjwt.security.jwt-none-alg.jjwt-none-alg\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.jjwt.security.jwt-none-alg.jjwt-none-alg\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\"},\"help\":{\"markdown\":\"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind\",\"id\":\"java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind\",\"name\":\"java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-287: Improper Authentication\",\"LOW CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\\\"%02X\\\", ...)\u0027 instead.\"},\"help\":{\"markdown\":\"\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\\\"%02X\\\", ...)\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion)\\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\\n\",\"text\":\"\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\\\"%02X\\\", ...)\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion\",\"id\":\"java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion\",\"name\":\"java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-704: Incorrect Type Conversion or Cast\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.\"},\"help\":{\"markdown\":\"Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size\",\"id\":\"java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size\",\"name\":\"java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use \u0027AES/GCM/NoPadding\u0027 instead.\"},\"help\":{\"markdown\":\"Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use \u0027AES/GCM/NoPadding\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle)\\n - [https://capec.mitre.org/data/definitions/463.html](https://capec.mitre.org/data/definitions/463.html)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes)\\n - [https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY](https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY)\\n\",\"text\":\"Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use \u0027AES/GCM/NoPadding\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle\",\"id\":\"java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle\",\"name\":\"java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\"},\"help\":{\"markdown\":\"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call\",\"id\":\"java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call\",\"name\":\"java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\"},\"help\":{\"markdown\":\"A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.command-injection-process-builder.command-injection-process-builder)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.command-injection-process-builder.command-injection-process-builder\",\"id\":\"java.lang.security.audit.command-injection-process-builder.command-injection-process-builder\",\"name\":\"java.lang.security.audit.command-injection-process-builder.command-injection-process-builder\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.command-injection-process-builder.command-injection-process-builder\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\"},\"help\":{\"markdown\":\"A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly)\\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\\n\",\"text\":\"A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly\",\"id\":\"java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly\",\"name\":\"java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\"},\"help\":{\"markdown\":\"A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag)\\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\\n\",\"text\":\"A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag\",\"id\":\"java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag\",\"name\":\"java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\"},\"help\":{\"markdown\":\"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs\",\"id\":\"java.lang.security.audit.crlf-injection-logs.crlf-injection-logs\",\"name\":\"java.lang.security.audit.crlf-injection-logs.crlf-injection-logs\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crlf-injection-logs.crlf-injection-logs\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.\"},\"help\":{\"markdown\":\"DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated)\\n - [https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard](https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\\n\",\"text\":\"DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated\",\"id\":\"java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated\",\"name\":\"java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.\"},\"help\":{\"markdown\":\"Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated)\\n - [https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA](https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA)\\n\",\"text\":\"Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated\",\"id\":\"java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated\",\"name\":\"java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\"},\"help\":{\"markdown\":\"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher\",\"id\":\"java.lang.security.audit.crypto.ecb-cipher.ecb-cipher\",\"name\":\"java.lang.security.audit.crypto.ecb-cipher.ecb-cipher\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.ecb-cipher.ecb-cipher\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"GCM IV/nonce is reused: encryption can be totally useless\"},\"help\":{\"markdown\":\"GCM IV/nonce is reused: encryption can be totally useless\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"GCM IV/nonce is reused: encryption can be totally useless\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse\",\"id\":\"java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse\",\"name\":\"java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-323: Reusing a Nonce, Key Pair in Encryption\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\"},\"help\":{\"markdown\":\"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher\",\"id\":\"java.lang.security.audit.crypto.no-null-cipher.no-null-cipher\",\"name\":\"java.lang.security.audit.crypto.no-null-cipher.no-null-cipher\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.no-null-cipher.no-null-cipher\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\"},\"help\":{\"markdown\":\"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector)\\n - [https://cwe.mitre.org/data/definitions/329.html](https://cwe.mitre.org/data/definitions/329.html)\\n\",\"text\":\"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector\",\"id\":\"java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector\",\"name\":\"java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-329: Generation of Predictable IV with CBC Mode\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Using RSA without OAEP mode weakens the encryption.\"},\"help\":{\"markdown\":\"Using RSA without OAEP mode weakens the encryption.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding)\\n - [https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/](https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/)\\n\",\"text\":\"Using RSA without OAEP mode weakens the encryption.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding\",\"id\":\"java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding\",\"name\":\"java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\\\"SHA256\\\");\"},\"help\":{\"markdown\":\"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\\\"SHA256\\\");\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms)\\n\",\"text\":\"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\\\"SHA256\\\");\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests\",\"id\":\"java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests\",\"name\":\"java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead.\"},\"help\":{\"markdown\":\"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated\",\"id\":\"java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated\",\"name\":\"java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.\"},\"help\":{\"markdown\":\"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier\",\"id\":\"java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier\",\"name\":\"java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-295: Improper Certificate Validation\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information.\"},\"help\":{\"markdown\":\"Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager)\\n - [https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https](https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https)\\n\",\"text\":\"Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager\",\"id\":\"java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager\",\"name\":\"java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-295: Improper Certificate Validation\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead.\"},\"help\":{\"markdown\":\"Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket\",\"id\":\"java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket\",\"name\":\"java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Use of AES with ECB mode detected. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\"},\"help\":{\"markdown\":\"Use of AES with ECB mode detected. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\\n\",\"text\":\"Use of AES with ECB mode detected. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb\",\"id\":\"java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb\",\"name\":\"java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\"},\"help\":{\"markdown\":\"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\\n\",\"text\":\"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish\",\"id\":\"java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish\",\"name\":\"java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\"},\"help\":{\"markdown\":\"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\\n\",\"text\":\"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn\u0027t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes\",\"id\":\"java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes\",\"name\":\"java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\"},\"help\":{\"markdown\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils\",\"id\":\"java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils\",\"name\":\"java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\"},\"help\":{\"markdown\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5\",\"id\":\"java.lang.security.audit.crypto.use-of-md5.use-of-md5\",\"name\":\"java.lang.security.audit.crypto.use-of-md5.use-of-md5\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.use-of-md5.use-of-md5\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\"},\"help\":{\"markdown\":\"Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\\n\",\"text\":\"Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2\",\"id\":\"java.lang.security.audit.crypto.use-of-rc2.use-of-rc2\",\"name\":\"java.lang.security.audit.crypto.use-of-rc2.use-of-rc2\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.use-of-rc2.use-of-rc2\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\"},\"help\":{\"markdown\":\"Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\\n\",\"text\":\"Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4\",\"id\":\"java.lang.security.audit.crypto.use-of-rc4.use-of-rc4\",\"name\":\"java.lang.security.audit.crypto.use-of-rc4.use-of-rc4\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.use-of-rc4.use-of-rc4\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\"},\"help\":{\"markdown\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1\",\"id\":\"java.lang.security.audit.crypto.use-of-sha1.use-of-sha1\",\"name\":\"java.lang.security.audit.crypto.use-of-sha1.use-of-sha1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.use-of-sha1.use-of-sha1\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\"},\"help\":{\"markdown\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224)\\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\\n\",\"text\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224\",\"id\":\"java.lang.security.audit.crypto.use-of-sha224.use-of-sha224\",\"name\":\"java.lang.security.audit.crypto.use-of-sha224.use-of-sha224\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.use-of-sha224.use-of-sha224\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.\"},\"help\":{\"markdown\":\"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random\",\"id\":\"java.lang.security.audit.crypto.weak-random.weak-random\",\"name\":\"java.lang.security.audit.crypto.weak-random.weak-random\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-330: Use of Insufficiently Random Values\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.weak-random.weak-random\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"RSA keys should be at least 2048 bits based on NIST recommendation.\"},\"help\":{\"markdown\":\"RSA keys should be at least 2048 bits based on NIST recommendation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\\n\",\"text\":\"RSA keys should be at least 2048 bits based on NIST recommendation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key\",\"id\":\"java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key\",\"name\":\"java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\"},\"help\":{\"markdown\":\"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell\",\"id\":\"java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell\",\"name\":\"java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\"},\"help\":{\"markdown\":\"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection\",\"id\":\"java.lang.security.audit.el-injection.el-injection\",\"name\":\"java.lang.security.audit.el-injection.el-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.el-injection.el-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\"},\"help\":{\"markdown\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string.formatted-sql-string)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n - [https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps)\\n - [https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement](https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement)\\n\",\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string.formatted-sql-string\",\"id\":\"java.lang.security.audit.formatted-sql-string.formatted-sql-string\",\"name\":\"java.lang.security.audit.formatted-sql-string.formatted-sql-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.formatted-sql-string.formatted-sql-string\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\"},\"help\":{\"markdown\":\"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting)\\n - [https://www.owasp.org/index.php/HTTP_Response_Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting)\\n\",\"text\":\"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting\",\"id\":\"java.lang.security.audit.http-response-splitting.http-response-splitting\",\"name\":\"java.lang.security.audit.http-response-splitting.http-response-splitting\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.http-response-splitting.http-response-splitting\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting \u0027email.setSSLCheckServerIdentity(true)\u0027.\"},\"help\":{\"markdown\":\"Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting \u0027email.setSSLCheckServerIdentity(true)\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting \u0027email.setSSLCheckServerIdentity(true)\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection\",\"id\":\"java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection\",\"name\":\"java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-297: Improper Validation of Certificate with Host Mismatch\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Semgrep found potential reverse shell behavior\"},\"help\":{\"markdown\":\"Semgrep found potential reverse shell behavior\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.java-reverse-shell.java-reverse-shell)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Semgrep found potential reverse shell behavior\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.java-reverse-shell.java-reverse-shell\",\"id\":\"java.lang.security.audit.java-reverse-shell.java-reverse-shell\",\"name\":\"java.lang.security.audit.java-reverse-shell.java-reverse-shell\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.java-reverse-shell.java-reverse-shell\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: \u0027jdbc.queryForObject(\\\"select * from table where name = ?\\\", Integer.class, parameterName);\u0027\"},\"help\":{\"markdown\":\"Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: \u0027jdbc.queryForObject(\\\"select * from table where name = ?\\\", Integer.class, parameterName);\u0027\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: \u0027jdbc.queryForObject(\\\"select * from table where name = ?\\\", Integer.class, parameterName);\u0027\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string\",\"id\":\"java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string\",\"name\":\"java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution.\"},\"help\":{\"markdown\":\"An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning)\\n - [https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning\",\"id\":\"java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning\",\"name\":\"java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data.\"},\"help\":{\"markdown\":\"Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.ldap-injection.ldap-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.ldap-injection.ldap-injection\",\"id\":\"java.lang.security.audit.ldap-injection.ldap-injection\",\"name\":\"java.lang.security.audit.ldap-injection.ldap-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.ldap-injection.ldap-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\\\"PBKDF2WithHmacSHA1\\\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.\"},\"help\":{\"markdown\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\\\"PBKDF2WithHmacSHA1\\\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.md5-used-as-password.md5-used-as-password)\\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\\n - [https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory](https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory)\\n - [https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html)\\n\",\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\\\"PBKDF2WithHmacSHA1\\\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"id\":\"java.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"name\":\"java.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.md5-used-as-password.md5-used-as-password\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.\"},\"help\":{\"markdown\":\"Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.object-deserialization.object-deserialization)\\n - [https://www.owasp.org/index.php/Deserialization_of_untrusted_data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data)\\n - [https://www.oracle.com/java/technologies/javase/seccodeguide.html#8](https://www.oracle.com/java/technologies/javase/seccodeguide.html#8)\\n\",\"text\":\"Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.object-deserialization.object-deserialization\",\"id\":\"java.lang.security.audit.object-deserialization.object-deserialization\",\"name\":\"java.lang.security.audit.object-deserialization.object-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.object-deserialization.object-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\"},\"help\":{\"markdown\":\"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.ognl-injection.ognl-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.ognl-injection.ognl-injection\",\"id\":\"java.lang.security.audit.ognl-injection.ognl-injection\",\"name\":\"java.lang.security.audit.ognl-injection.ognl-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.ognl-injection.ognl-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.\"},\"help\":{\"markdown\":\"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission\",\"id\":\"java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission\",\"name\":\"java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-276: Incorrect Default Permissions\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.\"},\"help\":{\"markdown\":\"https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.permissive-cors.permissive-cors)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.permissive-cors.permissive-cors\",\"id\":\"java.lang.security.audit.permissive-cors.permissive-cors\",\"name\":\"java.lang.security.audit.permissive-cors.permissive-cors\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-183: Permissive List of Allowed Inputs\",\"LOW CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.permissive-cors.permissive-cors\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter \u0027.eval()\u0027, otherwise, this is a code injection vulnerability.\"},\"help\":{\"markdown\":\"Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter \u0027.eval()\u0027, otherwise, this is a code injection vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.script-engine-injection.script-engine-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter \u0027.eval()\u0027, otherwise, this is a code injection vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.script-engine-injection.script-engine-injection\",\"id\":\"java.lang.security.audit.script-engine-injection.script-engine-injection\",\"name\":\"java.lang.security.audit.script-engine-injection.script-engine-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.script-engine-injection.script-engine-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\"},\"help\":{\"markdown\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli\",\"id\":\"java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli\",\"name\":\"java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\"},\"help\":{\"markdown\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli\",\"id\":\"java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli\",\"name\":\"java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\"},\"help\":{\"markdown\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jdo-sqli.jdo-sqli)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.sqli.jdo-sqli.jdo-sqli\",\"id\":\"java.lang.security.audit.sqli.jdo-sqli.jdo-sqli\",\"name\":\"java.lang.security.audit.sqli.jdo-sqli.jdo-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.sqli.jdo-sqli.jdo-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\"},\"help\":{\"markdown\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli\",\"id\":\"java.lang.security.audit.sqli.jpa-sqli.jpa-sqli\",\"name\":\"java.lang.security.audit.sqli.jpa-sqli.jpa-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.sqli.jpa-sqli.jpa-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\"},\"help\":{\"markdown\":\"Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\\n\",\"text\":\"Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request\",\"id\":\"java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request\",\"name\":\"java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\"},\"help\":{\"markdown\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.turbine-sqli.turbine-sqli)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.sqli.turbine-sqli.turbine-sqli\",\"id\":\"java.lang.security.audit.sqli.turbine-sqli.turbine-sqli\",\"name\":\"java.lang.security.audit.sqli.turbine-sqli.turbine-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.sqli.turbine-sqli.turbine-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\"},\"help\":{\"markdown\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.vertx-sqli.vertx-sqli)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.sqli.vertx-sqli.vertx-sqli\",\"id\":\"java.lang.security.audit.sqli.vertx-sqli.vertx-sqli\",\"name\":\"java.lang.security.audit.sqli.vertx-sqli.vertx-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.sqli.vertx-sqli.vertx-sqli\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected input from a HTTPServletRequest going into a \u0027ProcessBuilder\u0027 or \u0027exec\u0027 command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.\"},\"help\":{\"markdown\":\"Detected input from a HTTPServletRequest going into a \u0027ProcessBuilder\u0027 or \u0027exec\u0027 command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected input from a HTTPServletRequest going into a \u0027ProcessBuilder\u0027 or \u0027exec\u0027 command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request\",\"id\":\"java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request\",\"name\":\"java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected input from a HTTPServletRequest going into the environment variables of an \u0027exec\u0027 command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\\\"command\\\", \\\"arg1\\\", \\\"arg2\\\"})`.\"},\"help\":{\"markdown\":\"Detected input from a HTTPServletRequest going into the environment variables of an \u0027exec\u0027 command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\\\"command\\\", \\\"arg1\\\", \\\"arg2\\\"})`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected input from a HTTPServletRequest going into the environment variables of an \u0027exec\u0027 command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\\\"command\\\", \\\"arg1\\\", \\\"arg2\\\"})`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request\",\"id\":\"java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request\",\"name\":\"java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-454: External Initialization of Trusted Variables or Data Stores\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\"},\"help\":{\"markdown\":\"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request)\\n - [https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection](https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection)\\n\",\"text\":\"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request\",\"id\":\"java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request\",\"name\":\"java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what\u0027s trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.\"},\"help\":{\"markdown\":\"Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what\u0027s trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what\u0027s trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request\",\"id\":\"java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request\",\"name\":\"java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-501: Trust Boundary Violation\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.\"},\"help\":{\"markdown\":\"Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request\",\"id\":\"java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request\",\"name\":\"java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-643: Improper Neutralization of Data within XPath Expressions (\u0027XPath Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\"},\"help\":{\"markdown\":\"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection\",\"id\":\"java.lang.security.audit.unsafe-reflection.unsafe-reflection\",\"name\":\"java.lang.security.audit.unsafe-reflection.unsafe-reflection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.unsafe-reflection.unsafe-reflection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.\"},\"help\":{\"markdown\":\"Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect\",\"id\":\"java.lang.security.audit.unvalidated-redirect.unvalidated-redirect\",\"name\":\"java.lang.security.audit.unvalidated-redirect.unvalidated-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.unvalidated-redirect.unvalidated-redirect\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties.\"},\"help\":{\"markdown\":\"URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.url-rewriting.url-rewriting)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.url-rewriting.url-rewriting\",\"id\":\"java.lang.security.audit.url-rewriting.url-rewriting\",\"name\":\"java.lang.security.audit.url-rewriting.url-rewriting\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.url-rewriting.url-rewriting\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\\\"TLSv1.2\\\") for the best security.\"},\"help\":{\"markdown\":\"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\\\"TLSv1.2\\\") for the best security.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context)\\n - [https://tools.ietf.org/html/rfc7568](https://tools.ietf.org/html/rfc7568)\\n - [https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html](https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html)\\n\",\"text\":\"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\\\"TLSv1.2\\\") for the best security.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context\",\"id\":\"java.lang.security.audit.weak-ssl-context.weak-ssl-context\",\"name\":\"java.lang.security.audit.weak-ssl-context.weak-ssl-context\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.weak-ssl-context.weak-ssl-context\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.\"},\"help\":{\"markdown\":\"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder\",\"id\":\"java.lang.security.audit.xml-decoder.xml-decoder\",\"name\":\"java.lang.security.audit.xml-decoder.xml-decoder\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"LOW CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xml-decoder.xml-decoder\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove \u0027escape=false\u0027 from this element.\"},\"help\":{\"markdown\":\"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove \u0027escape=false\u0027 from this element.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled)\\n - [https://stackoverflow.com/a/7442668](https://stackoverflow.com/a/7442668)\\n\",\"text\":\"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove \u0027escape=false\u0027 from this element.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled\",\"id\":\"java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled\",\"name\":\"java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences\",\"LOW CONFIDENCE\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\"},\"help\":{\"markdown\":\"Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer)\\n - [https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html](https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html)\\n\",\"text\":\"Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer\",\"id\":\"java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer\",\"name\":\"java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"It looks like you\u0027re using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.\"},\"help\":{\"markdown\":\"It looks like you\u0027re using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"It looks like you\u0027re using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure\",\"id\":\"java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure\",\"name\":\"java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://apache.org/xml/features/disallow-doctype-decl\\\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \\\"http://xml.org/sax/features/external-general-entities\\\" and \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\"},\"help\":{\"markdown\":\"DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://apache.org/xml/features/disallow-doctype-decl\\\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \\\"http://xml.org/sax/features/external-general-entities\\\" and \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\\n\",\"text\":\"DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://apache.org/xml/features/disallow-doctype-decl\\\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \\\"http://xml.org/sax/features/external-general-entities\\\" and \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false\",\"id\":\"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false\",\"name\":\"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://apache.org/xml/features/disallow-doctype-decl\\\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \\\"http://xml.org/sax/features/external-general-entities\\\" and \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\"},\"help\":{\"markdown\":\"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://apache.org/xml/features/disallow-doctype-decl\\\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \\\"http://xml.org/sax/features/external-general-entities\\\" and \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\\n\",\"text\":\"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://apache.org/xml/features/disallow-doctype-decl\\\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \\\"http://xml.org/sax/features/external-general-entities\\\" and \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing\",\"id\":\"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing\",\"name\":\"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://xml.org/sax/features/external-general-entities\\\" to false.\"},\"help\":{\"markdown\":\"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://xml.org/sax/features/external-general-entities\\\" to false.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\\n\",\"text\":\"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://xml.org/sax/features/external-general-entities\\\" to false.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true\",\"id\":\"java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true\",\"name\":\"java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\"},\"help\":{\"markdown\":\"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\\n\",\"text\":\"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \\\"http://xml.org/sax/features/external-parameter-entities\\\" to false.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true\",\"id\":\"java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true\",\"name\":\"java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.\"},\"help\":{\"markdown\":\"DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\\n\",\"text\":\"DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing\",\"id\":\"java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing\",\"name\":\"java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \\\"accessExternalDTD\\\" and \\\"accessExternalStylesheet\\\" to \\\"\\\".\"},\"help\":{\"markdown\":\"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \\\"accessExternalDTD\\\" and \\\"accessExternalStylesheet\\\" to \\\"\\\".\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\\n\",\"text\":\"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \\\"accessExternalDTD\\\" and \\\"accessExternalStylesheet\\\" to \\\"\\\".\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled\",\"id\":\"java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled\",\"name\":\"java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.\"},\"help\":{\"markdown\":\"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use)\\n - [https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html](https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html)\\n - [https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation](https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation)\\n - [http://phrack.org/papers/escaping_the_java_sandbox.html](http://phrack.org/papers/escaping_the_java_sandbox.html)\\n\",\"text\":\"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use\",\"id\":\"java.lang.security.do-privileged-use.do-privileged-use\",\"name\":\"java.lang.security.do-privileged-use.do-privileged-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-269: Improper Privilege Management\",\"LOW CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.do-privileged-use.do-privileged-use\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\"},\"help\":{\"markdown\":\"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal)\\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\\n\",\"text\":\"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal\",\"id\":\"java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal\",\"name\":\"java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.\"},\"help\":{\"markdown\":\"JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization)\\n - [https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf)\\n\",\"text\":\"JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization\",\"id\":\"java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization\",\"name\":\"java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \\\"Per-class\\\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.\"},\"help\":{\"markdown\":\"When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \\\"Per-class\\\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization)\\n - [https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038](https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038)\\n - [https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\\n - [https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/](https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/)\\n\",\"text\":\"When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \\\"Per-class\\\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization\",\"id\":\"java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization\",\"name\":\"java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A8:2017 Insecure Deserialization\",\"OWASP-A8:2021 Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Cross-site scripting detected in HttpServletResponse writer with variable \u0027$VAR\u0027. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: \u0027Encode.forHtml($VAR)\u0027.\"},\"help\":{\"markdown\":\"Cross-site scripting detected in HttpServletResponse writer with variable \u0027$VAR\u0027. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: \u0027Encode.forHtml($VAR)\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Cross-site scripting detected in HttpServletResponse writer with variable \u0027$VAR\u0027. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: \u0027Encode.forHtml($VAR)\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss\",\"id\":\"java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss\",\"name\":\"java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.\"},\"help\":{\"markdown\":\"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor)\\n - [https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability](https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability)\\n\",\"text\":\"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor\",\"id\":\"java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor\",\"name\":\"java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \\\"javax.xml.stream.isSupportingExternalEntities\\\" to false.\"},\"help\":{\"markdown\":\"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \\\"javax.xml.stream.isSupportingExternalEntities\\\" to false.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\\n\",\"text\":\"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \\\"javax.xml.stream.isSupportingExternalEntities\\\" to false.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled\",\"id\":\"java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled\",\"name\":\"java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"LOW CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \\\"javax.xml.stream.isSupportingExternalEntities\\\" to false.\"},\"help\":{\"markdown\":\"XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \\\"javax.xml.stream.isSupportingExternalEntities\\\" to false.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe)\\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser)\\n\",\"text\":\"XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \\\"javax.xml.stream.isSupportingExternalEntities\\\" to false.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe\",\"id\":\"java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe\",\"name\":\"java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\"},\"help\":{\"markdown\":\"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization)\\n - [https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/](https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/)\\n\",\"text\":\"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization\",\"id\":\"java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization\",\"name\":\"java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Using an arbitrary object (\u0027$PARAMTYPE $PARAM\u0027) with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\"},\"help\":{\"markdown\":\"Using an arbitrary object (\u0027$PARAMTYPE $PARAM\u0027) with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization)\\n - [https://frohoff.github.io/appseccali-marshalling-pickles/](https://frohoff.github.io/appseccali-marshalling-pickles/)\\n - [https://book.hacktricks.xyz/network-services-pentesting/1099-pentesting-java-rmi](https://book.hacktricks.xyz/network-services-pentesting/1099-pentesting-java-rmi)\\n - [https://youtu.be/t_aw1mDNhzI](https://youtu.be/t_aw1mDNhzI)\\n - [https://github.com/qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)\\n - [https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L303C4-L331](https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L303C4-L331)\\n\",\"text\":\"Using an arbitrary object (\u0027$PARAMTYPE $PARAM\u0027) with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization\",\"id\":\"java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization\",\"name\":\"java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.\"},\"help\":{\"markdown\":\"Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.cookie-issecure-false.cookie-issecure-false)\\n - [https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)](https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean))\\n - [https://owasp.org/www-community/controls/SecureCookieAttribute](https://owasp.org/www-community/controls/SecureCookieAttribute)\\n\",\"text\":\"Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.servlets.security.cookie-issecure-false.cookie-issecure-false\",\"id\":\"java.servlets.security.cookie-issecure-false.cookie-issecure-false\",\"name\":\"java.servlets.security.cookie-issecure-false.cookie-issecure-false\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.servlets.security.cookie-issecure-false.cookie-issecure-false\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\"},\"help\":{\"markdown\":\"A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spel-injection.spel-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.audit.spel-injection.spel-injection\",\"id\":\"java.spring.security.audit.spel-injection.spel-injection\",\"name\":\"java.spring.security.audit.spel-injection.spel-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.audit.spel-injection.spel-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\"},\"help\":{\"markdown\":\"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled)\\n - [https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints)\\n - [https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785](https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785)\\n - [https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators](https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators)\\n\",\"text\":\"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled\",\"id\":\"java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled\",\"name\":\"java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"CSRF protection is disabled for this configuration. This is a security risk.\"},\"help\":{\"markdown\":\"CSRF protection is disabled for this configuration. This is a security risk.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"CSRF protection is disabled for this configuration. This is a security risk.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled\",\"id\":\"java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled\",\"name\":\"java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-352: Cross-Site Request Forgery (CSRF)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\"},\"help\":{\"markdown\":\"A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-jsp-eval.spring-jsp-eval)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.audit.spring-jsp-eval.spring-jsp-eval\",\"id\":\"java.spring.security.audit.spring-jsp-eval.spring-jsp-eval\",\"name\":\"java.spring.security.audit.spring-jsp-eval.spring-jsp-eval\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.audit.spring-jsp-eval.spring-jsp-eval\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\"},\"help\":{\"markdown\":\"Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-sqli.spring-sqli)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using \u0027connection.prepareStatement\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.audit.spring-sqli.spring-sqli\",\"id\":\"java.spring.security.audit.spring-sqli.spring-sqli\",\"name\":\"java.spring.security.audit.spring-sqli.spring-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.audit.spring-sqli.spring-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.\"},\"help\":{\"markdown\":\"Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect)\\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\\n\",\"text\":\"Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect\",\"id\":\"java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect\",\"name\":\"java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\"},\"help\":{\"markdown\":\"Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path)\\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\\n\",\"text\":\"Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with \u0027../\u0027. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path\",\"id\":\"java.spring.security.injection.tainted-file-path.tainted-file-path\",\"name\":\"java.spring.security.injection.tainted-file-path.tainted-file-path\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-23: Relative Path Traversal\",\"HIGH CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.injection.tainted-file-path.tainted-file-path\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\"},\"help\":{\"markdown\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string\",\"id\":\"java.spring.security.injection.tainted-html-string.tainted-html-string\",\"name\":\"java.spring.security.injection.tainted-html-string.tainted-html-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.injection.tainted-html-string.tainted-html-string\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\"},\"help\":{\"markdown\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string)\\n - [https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html](https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html)\\n\",\"text\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string\",\"id\":\"java.spring.security.injection.tainted-sql-string.tainted-sql-string\",\"name\":\"java.spring.security.injection.tainted-sql-string.tainted-sql-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.injection.tainted-sql-string.tainted-sql-string\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\\\"ls\\\", \\\"-al\\\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can\u0027t run arbitrary commands.\"},\"help\":{\"markdown\":\"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\\\"ls\\\", \\\"-al\\\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can\u0027t run arbitrary commands.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command)\\n - [https://www.stackhawk.com/blog/command-injection-java/](https://www.stackhawk.com/blog/command-injection-java/)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\\n - [https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java](https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java)\\n\",\"text\":\"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\\\"ls\\\", \\\"-al\\\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can\u0027t run arbitrary commands.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command\",\"id\":\"java.spring.security.injection.tainted-system-command.tainted-system-command\",\"name\":\"java.spring.security.injection.tainted-system-command.tainted-system-command\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.injection.tainted-system-command.tainted-system-command\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.\"},\"help\":{\"markdown\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host\",\"id\":\"java.spring.security.injection.tainted-url-host.tainted-url-host\",\"name\":\"java.spring.security.injection.tainted-url-host.tainted-url-host\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.injection.tainted-url-host.tainted-url-host\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a method annotated with \u0027RequestMapping\u0027 that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the \u0027method\u0027 field and specify the HTTP method (such as \u0027RequestMethod.POST\u0027).\"},\"help\":{\"markdown\":\"Detected a method annotated with \u0027RequestMapping\u0027 that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the \u0027method\u0027 field and specify the HTTP method (such as \u0027RequestMethod.POST\u0027).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping)\\n - [https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING](https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING)\\n\",\"text\":\"Detected a method annotated with \u0027RequestMapping\u0027 that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the \u0027method\u0027 field and specify the HTTP method (such as \u0027RequestMethod.POST\u0027).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping\",\"id\":\"java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping\",\"name\":\"java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-352: Cross-Site Request Forgery (CSRF)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"By setting `allErrors: true` in `Ajv` library, all error objects will be allocated without limit. This allows the attacker to produce a huge number of errors which can lead to denial of service. Do not use `allErrors: true` in production.\"},\"help\":{\"markdown\":\"By setting `allErrors: true` in `Ajv` library, all error objects will be allocated without limit. This allows the attacker to produce a huge number of errors which can lead to denial of service. Do not use `allErrors: true` in production.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true)\\n - [https://ajv.js.org/options.html#allerrors](https://ajv.js.org/options.html#allerrors)\\n\",\"text\":\"By setting `allErrors: true` in `Ajv` library, all error objects will be allocated without limit. This allows the attacker to produce a huge number of errors which can lead to denial of service. Do not use `allErrors: true` in production.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true\",\"id\":\"javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true\",\"name\":\"javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-400: Uncontrolled Resource Consumption\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\"},\"help\":{\"markdown\":\"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods)\\n - [https://docs.angularjs.org/api/ng/function/angular.element](https://docs.angularjs.org/api/ng/function/angular.element)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods\",\"id\":\"javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods\",\"name\":\"javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\"},\"help\":{\"markdown\":\"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint)\\n - [https://docs.angularjs.org/api/ng/function/angular.element](https://docs.angularjs.org/api/ng/function/angular.element)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint\",\"id\":\"javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint\",\"name\":\"javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Use of $window.location.href can lead to open-redirect if user input is used for redirection.\"},\"help\":{\"markdown\":\"Use of $window.location.href can lead to open-redirect if user input is used for redirection.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect)\\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"Use of $window.location.href can lead to open-redirect if user input is used for redirection.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect\",\"id\":\"javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect\",\"name\":\"javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.\"},\"help\":{\"markdown\":\"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading)\\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading\",\"id\":\"javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading\",\"name\":\"javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.\"},\"help\":{\"markdown\":\"$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled)\\n - [https://docs.angularjs.org/api/ng/service/$sce](https://docs.angularjs.org/api/ng/service/$sce)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled\",\"id\":\"javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled\",\"name\":\"javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API.\"},\"help\":{\"markdown\":\"The use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method)\\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsCss](https://docs.angularjs.org/api/ng/service/$sce#trustAsCss)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"The use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method\",\"id\":\"javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method\",\"name\":\"javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.\"},\"help\":{\"markdown\":\"The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method)\\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsHtml](https://docs.angularjs.org/api/ng/service/$sce#trustAsHtml)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method\",\"id\":\"javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method\",\"name\":\"javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API.\"},\"help\":{\"markdown\":\"The use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method)\\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"The use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method\",\"id\":\"javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method\",\"name\":\"javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.\"},\"help\":{\"markdown\":\"The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method)\\n - [https://docs.angularjs.org/api/ng/service/$sce](https://docs.angularjs.org/api/ng/service/$sce)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method\",\"id\":\"javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method\",\"name\":\"javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API.\"},\"help\":{\"markdown\":\"The use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method)\\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsResourceUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsResourceUrl)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"The use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method\",\"id\":\"javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method\",\"name\":\"javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API.\"},\"help\":{\"markdown\":\"The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method)\\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method\",\"id\":\"javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method\",\"name\":\"javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The use of $translateProvider.translations method can be dangerous if user input is provided to this API.\"},\"help\":{\"markdown\":\"The use of $translateProvider.translations method can be dangerous if user input is provided to this API.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method)\\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl)\\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\\n\",\"text\":\"The use of $translateProvider.translations method can be dangerous if user input is provided to this API.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method\",\"id\":\"javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method\",\"name\":\"javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.\"},\"help\":{\"markdown\":\"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf)\\n - [https://www.cvedetails.com/cve/CVE-2020-28168/](https://www.cvedetails.com/cve/CVE-2020-28168/)\\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\\n\",\"text\":\"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf\",\"id\":\"javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf\",\"name\":\"javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\"},\"help\":{\"markdown\":\"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\\n - [https://eprint.iacr.org/2016/759.pdf](https://eprint.iacr.org/2016/759.pdf)\\n - [https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf](https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf)\\n - [https://datatracker.ietf.org/doc/html/rfc9106#section-4](https://datatracker.ietf.org/doc/html/rfc9106#section-4)\\n\",\"text\":\"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config\",\"id\":\"javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config\",\"name\":\"javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-916: Use of Password Hash With Insufficient Computational Effort\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it\u0027s better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.\"},\"help\":{\"markdown\":\"Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it\u0027s better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization)\\n - [https://www.npmjs.com/package/dompurify](https://www.npmjs.com/package/dompurify)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it\u0027s better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization\",\"id\":\"javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization\",\"name\":\"javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs.\"},\"help\":{\"markdown\":\"Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.detect-child-process.detect-child-process)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.detect-child-process.detect-child-process\",\"id\":\"javascript.aws-lambda.security.detect-child-process.detect-child-process\",\"name\":\"javascript.aws-lambda.security.detect-child-process.detect-child-process\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.detect-child-process.detect-child-process\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\"},\"help\":{\"markdown\":\"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object\",\"id\":\"javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object\",\"name\":\"javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-943: Improper Neutralization of Special Elements in Data Query Logic\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])`\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.knex-sqli.knex-sqli)\\n - [https://knexjs.org/#Builder-fromRaw](https://knexjs.org/#Builder-fromRaw)\\n - [https://knexjs.org/#Builder-whereRaw](https://knexjs.org/#Builder-whereRaw)\\n\",\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.knex-sqli.knex-sqli\",\"id\":\"javascript.aws-lambda.security.knex-sqli.knex-sqli\",\"name\":\"javascript.aws-lambda.security.knex-sqli.knex-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.knex-sqli.knex-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.mysql-sqli.mysql-sqli)\\n - [https://www.npmjs.com/package/mysql2](https://www.npmjs.com/package/mysql2)\\n\",\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.mysql-sqli.mysql-sqli\",\"id\":\"javascript.aws-lambda.security.mysql-sqli.mysql-sqli\",\"name\":\"javascript.aws-lambda.security.mysql-sqli.mysql-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.mysql-sqli.mysql-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.pg-sqli.pg-sqli)\\n - [https://node-postgres.com/features/queries](https://node-postgres.com/features/queries)\\n\",\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(\u0027SELECT $1 from table\u0027, [userinput])`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.pg-sqli.pg-sqli\",\"id\":\"javascript.aws-lambda.security.pg-sqli.pg-sqli\",\"name\":\"javascript.aws-lambda.security.pg-sqli.pg-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.pg-sqli.pg-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query(\u0027SELECT * FROM projects WHERE status = ?\u0027, { replacements: [\u0027active\u0027], type: QueryTypes.SELECT });`\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query(\u0027SELECT * FROM projects WHERE status = ?\u0027, { replacements: [\u0027active\u0027], type: QueryTypes.SELECT });`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli)\\n - [https://sequelize.org/master/manual/raw-queries.html](https://sequelize.org/master/manual/raw-queries.html)\\n\",\"text\":\"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query(\u0027SELECT * FROM projects WHERE status = ?\u0027, { replacements: [\u0027active\u0027], type: QueryTypes.SELECT });`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli\",\"id\":\"javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli\",\"name\":\"javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources.\"},\"help\":{\"markdown\":\"The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.tainted-eval.tainted-eval)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.tainted-eval.tainted-eval\",\"id\":\"javascript.aws-lambda.security.tainted-eval.tainted-eval\",\"name\":\"javascript.aws-lambda.security.tainted-eval.tainted-eval\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.tainted-eval.tainted-eval\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\"},\"help\":{\"markdown\":\"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-response.tainted-html-response)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-response.tainted-html-response\",\"id\":\"javascript.aws-lambda.security.tainted-html-response.tainted-html-response\",\"name\":\"javascript.aws-lambda.security.tainted-html-response.tainted-html-response\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.tainted-html-response.tainted-html-response\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\"},\"help\":{\"markdown\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-string.tainted-html-string)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-string.tainted-html-string\",\"id\":\"javascript.aws-lambda.security.tainted-html-string.tainted-html-string\",\"name\":\"javascript.aws-lambda.security.tainted-html-string.tainted-html-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.tainted-html-string.tainted-html-string\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions.\"},\"help\":{\"markdown\":\"The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection\",\"id\":\"javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection\",\"name\":\"javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Potential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval()\"},\"help\":{\"markdown\":\"Potential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval()\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution)\\n - [http://bluebirdjs.com/docs/getting-started.html](http://bluebirdjs.com/docs/getting-started.html)\\n\",\"text\":\"Potential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval()\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution\",\"id\":\"javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution\",\"name\":\"javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.\"},\"help\":{\"markdown\":\"Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss)\\n - [https://owasp.org/www-community/attacks/DOM_Based_XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS)\\n\",\"text\":\"Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss\",\"id\":\"javascript.browser.security.dom-based-xss.dom-based-xss\",\"name\":\"javascript.browser.security.dom-based-xss.dom-based-xss\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.browser.security.dom-based-xss.dom-based-xss\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\"},\"help\":{\"markdown\":\"Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.eval-detected.eval-detected)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.browser.security.eval-detected.eval-detected\",\"id\":\"javascript.browser.security.eval-detected.eval-detected\",\"name\":\"javascript.browser.security.eval-detected.eval-detected\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.browser.security.eval-detected.eval-detected\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities\"},\"help\":{\"markdown\":\"User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.insecure-document-method.insecure-document-method)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.browser.security.insecure-document-method.insecure-document-method\",\"id\":\"javascript.browser.security.insecure-document-method.insecure-document-method\",\"name\":\"javascript.browser.security.insecure-document-method.insecure-document-method\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.browser.security.insecure-document-method.insecure-document-method\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"No validation of origin is done by the addEventListener API. It may be possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site Scripting(XSS).\"},\"help\":{\"markdown\":\"No validation of origin is done by the addEventListener API. It may be possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site Scripting(XSS).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation)\\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\\n\",\"text\":\"No validation of origin is done by the addEventListener API. It may be possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site Scripting(XSS).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation\",\"id\":\"javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation\",\"name\":\"javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-345: Insufficient Verification of Data Authenticity\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.\"},\"help\":{\"markdown\":\"The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.open-redirect.js-open-redirect)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\\n\",\"text\":\"The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.browser.security.open-redirect.js-open-redirect\",\"id\":\"javascript.browser.security.open-redirect.js-open-redirect\",\"name\":\"javascript.browser.security.open-redirect.js-open-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.browser.security.open-redirect.js-open-redirect\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User controlled data in a HTML string may result in XSS\"},\"help\":{\"markdown\":\"User controlled data in a HTML string may result in XSS\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat)\\n - [https://owasp.org/www-community/attacks/xss/](https://owasp.org/www-community/attacks/xss/)\\n\",\"text\":\"User controlled data in a HTML string may result in XSS\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat\",\"id\":\"javascript.browser.security.raw-html-concat.raw-html-concat\",\"name\":\"javascript.browser.security.raw-html-concat.raw-html-concat\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.browser.security.raw-html-concat.raw-html-concat\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The target origin of the window.postMessage() API is set to \\\"*\\\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message.\"},\"help\":{\"markdown\":\"The target origin of the window.postMessage() API is set to \\\"*\\\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration)\\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\\n\",\"text\":\"The target origin of the window.postMessage() API is set to \\\"*\\\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration\",\"id\":\"javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration\",\"name\":\"javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-345: Insufficient Verification of Data Authenticity\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection)\\n - [https://github.com/cyrus-and/chrome-remote-interface](https://github.com/cyrus-and/chrome-remote-interface)\\n\",\"text\":\"If unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection\",\"id\":\"javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection\",\"name\":\"javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\"},\"help\":{\"markdown\":\"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run)\\n - [https://deno.land/manual/examples/subprocess#simple-example](https://deno.land/manual/examples/subprocess#simple-example)\\n\",\"text\":\"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run\",\"id\":\"javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run\",\"name\":\"javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.\"},\"help\":{\"markdown\":\"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage)\\n - [https://www.npmjs.com/package/csurf](https://www.npmjs.com/package/csurf)\\n - [https://www.npmjs.com/package/csrf](https://www.npmjs.com/package/csrf)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage\",\"id\":\"javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage\",\"name\":\"javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-352: Cross-Site Request Forgery (CSRF)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\"},\"help\":{\"markdown\":\"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing)\\n - [https://www.npmjs.com/package/serve-index](https://www.npmjs.com/package/serve-index)\\n - [https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/](https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/)\\n\",\"text\":\"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing\",\"id\":\"javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing\",\"name\":\"javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-548: Exposure of Information Through Directory Listing\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Don\u2019t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.\"},\"help\":{\"markdown\":\"Don\u2019t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Don\u2019t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name\",\"id\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name\",\"name\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.\"},\"help\":{\"markdown\":\"Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain\",\"id\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain\",\"name\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.\"},\"help\":{\"markdown\":\"Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires\",\"id\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires\",\"name\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.\"},\"help\":{\"markdown\":\"Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly\",\"id\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly\",\"name\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.\"},\"help\":{\"markdown\":\"Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path\",\"id\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path\",\"name\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.\"},\"help\":{\"markdown\":\"Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure\",\"id\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure\",\"name\":\"javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function.\"},\"help\":{\"markdown\":\"Detected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage)\\n - [https://github.com/mmckegg/notevil](https://github.com/mmckegg/notevil)\\n\",\"text\":\"Detected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage\",\"id\":\"javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage\",\"name\":\"javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1104: Use of Unmaintained Third Party Components\",\"LOW CONFIDENCE\",\"OWASP-A06:2021 - Vulnerable and Outdated Components\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\"},\"help\":{\"markdown\":\"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked\",\"id\":\"javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked\",\"name\":\"javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected.\"},\"help\":{\"markdown\":\"The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-libxml-noent.express-libxml-noent)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-libxml-noent.express-libxml-noent\",\"id\":\"javascript.express.security.audit.express-libxml-noent.express-libxml-noent\",\"name\":\"javascript.express.security.audit.express-libxml-noent.express-libxml-noent\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"HIGH CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-libxml-noent.express-libxml-noent\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected use of parseXml() function with the `noent` field set to `true`. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it.\"},\"help\":{\"markdown\":\"Detected use of parseXml() function with the `noent` field set to `true`. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Detected use of parseXml() function with the `noent` field set to `true`. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent\",\"id\":\"javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent\",\"name\":\"javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"LOW CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.\"},\"help\":{\"markdown\":\"The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-open-redirect.express-open-redirect)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\\n\",\"text\":\"The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-open-redirect.express-open-redirect\",\"id\":\"javascript.express.security.audit.express-open-redirect.express-open-redirect\",\"name\":\"javascript.express.security.audit.express-open-redirect.express-open-redirect\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-open-redirect.express-open-redirect\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Possible writing outside of the destination, make sure that the target path is nested in the intended destination\"},\"help\":{\"markdown\":\"Possible writing outside of the destination, make sure that the target path is nested in the intended destination\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal)\\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\\n\",\"text\":\"Possible writing outside of the destination, make sure that the target path is nested in the intended destination\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal\",\"id\":\"javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal\",\"name\":\"javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.\"},\"help\":{\"markdown\":\"The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)\\n\",\"text\":\"The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile\",\"id\":\"javascript.express.security.audit.express-res-sendfile.express-res-sendfile\",\"name\":\"javascript.express.security.audit.express-res-sendfile.express-res-sendfile\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-73: External Control of File Name or Path\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-res-sendfile.express-res-sendfile\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\"},\"help\":{\"markdown\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\\n\",\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret\",\"id\":\"javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret\",\"name\":\"javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"HIGH CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \"},\"help\":{\"markdown\":\"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf\",\"id\":\"javascript.express.security.audit.express-ssrf.express-ssrf\",\"name\":\"javascript.express.security.audit.express-ssrf.express-ssrf\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-ssrf.express-ssrf\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().\"},\"help\":{\"markdown\":\"The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)\\n\",\"text\":\"The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization\",\"id\":\"javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization\",\"name\":\"javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"HIGH CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\"},\"help\":{\"markdown\":\"Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event)\\n - [https://www.npmjs.com/package/xml2json](https://www.npmjs.com/package/xml2json)\\n\",\"text\":\"Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event\",\"id\":\"javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event\",\"name\":\"javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it\u0027s prototype. Use literal values for object properties.\"},\"help\":{\"markdown\":\"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it\u0027s prototype. Use literal values for object properties.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection)\\n - [https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\\n\",\"text\":\"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it\u0027s prototype. Use literal values for object properties.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection\",\"id\":\"javascript.express.security.audit.remote-property-injection.remote-property-injection\",\"name\":\"javascript.express.security.audit.remote-property-injection.remote-property-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"LOW CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.remote-property-injection.remote-property-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User controllable data `$REQ` enters `$RES.render(...)` this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be loaded in $RES.render or use an allow list for the existing application.\"},\"help\":{\"markdown\":\"User controllable data `$REQ` enters `$RES.render(...)` this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be loaded in $RES.render or use an allow list for the existing application.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.res-render-injection.res-render-injection)\\n - [http://expressjs.com/en/4x/api.html#res.render](http://expressjs.com/en/4x/api.html#res.render)\\n\",\"text\":\"User controllable data `$REQ` enters `$RES.render(...)` this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be loaded in $RES.render or use an allow list for the existing application.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.res-render-injection.res-render-injection\",\"id\":\"javascript.express.security.audit.res-render-injection.res-render-injection\",\"name\":\"javascript.express.security.audit.res-render-injection.res-render-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-706: Use of Incorrectly-Resolved Name or Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.res-render-injection.res-render-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use \u0027resp.render()\u0027 to render safely escaped HTML.\"},\"help\":{\"markdown\":\"Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use \u0027resp.render()\u0027 to render safely escaped HTML.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.direct-response-write.direct-response-write)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use \u0027resp.render()\u0027 to render safely escaped HTML.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.direct-response-write.direct-response-write\",\"id\":\"javascript.express.security.audit.xss.direct-response-write.direct-response-write\",\"name\":\"javascript.express.security.audit.xss.direct-response-write.direct-response-write\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.direct-response-write.direct-response-write\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an explicit unescape in an EJS template, using \u0027\u003c%- ... %\u003e\u0027 If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use \u0027\u003c%= ... %\u003e\u0027 to escape this data. If you need escaping, ensure no external data can reach this location.\"},\"help\":{\"markdown\":\"Detected an explicit unescape in an EJS template, using \u0027\u003c%- ... %\u003e\u0027 If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use \u0027\u003c%= ... %\u003e\u0027 to escape this data. If you need escaping, ensure no external data can reach this location.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape)\\n - [http://www.managerjs.com/blog/2015/05/will-ejs-escape-save-me-from-xss-sorta/](http://www.managerjs.com/blog/2015/05/will-ejs-escape-save-me-from-xss-sorta/)\\n\",\"text\":\"Detected an explicit unescape in an EJS template, using \u0027\u003c%- ... %\u003e\u0027 If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use \u0027\u003c%= ... %\u003e\u0027 to escape this data. If you need escaping, ensure no external data can reach this location.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape\",\"id\":\"javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape\",\"name\":\"javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a template variable used as the \u0027src\u0027 in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the \u0027src\u0027 attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.\"},\"help\":{\"markdown\":\"Detected a template variable used as the \u0027src\u0027 in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the \u0027src\u0027 attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src)\\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\\n - [https://github.com/ESAPI/owasp-esapi-js](https://github.com/ESAPI/owasp-esapi-js)\\n\",\"text\":\"Detected a template variable used as the \u0027src\u0027 in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the \u0027src\u0027 attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src\",\"id\":\"javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src\",\"name\":\"javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\"},\"help\":{\"markdown\":\"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag)\\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\\n - [https://github.com/ESAPI/owasp-esapi-js](https://github.com/ESAPI/owasp-esapi-js)\\n\",\"text\":\"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag\",\"id\":\"javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag\",\"name\":\"javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: \u0027{{{ ... }}}\u0027.\"},\"help\":{\"markdown\":\"The Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: \u0027{{{ ... }}}\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite)\\n - [https://github.com/janl/mustache.js/#variables](https://github.com/janl/mustache.js/#variables)\\n\",\"text\":\"The Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: \u0027{{{ ... }}}\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite\",\"id\":\"javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite\",\"name\":\"javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an explicit unescape in a Mustache template, using triple braces \u0027{{{...}}}\u0027 or ampersand \u0027\u0026\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\"},\"help\":{\"markdown\":\"Detected an explicit unescape in a Mustache template, using triple braces \u0027{{{...}}}\u0027 or ampersand \u0027\u0026\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape)\\n - [https://github.com/janl/mustache.js/#variables](https://github.com/janl/mustache.js/#variables)\\n - [https://ractive.js.org/v0.x/0.7/mustaches#variables](https://ractive.js.org/v0.x/0.7/mustaches#variables)\\n\",\"text\":\"Detected an explicit unescape in a Mustache template, using triple braces \u0027{{{...}}}\u0027 or ampersand \u0027\u0026\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape\",\"id\":\"javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape\",\"name\":\"javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a unescaped variables using \u0027\u0026attributes\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\"},\"help\":{\"markdown\":\"Detected a unescaped variables using \u0027\u0026attributes\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes)\\n - [https://pugjs.org/language/attributes.html#attributes](https://pugjs.org/language/attributes.html#attributes)\\n\",\"text\":\"Detected a unescaped variables using \u0027\u0026attributes\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes\",\"id\":\"javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes\",\"name\":\"javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected an explicit unescape in a Pug template, using either \u0027!=\u0027 or \u0027!{...}\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\"},\"help\":{\"markdown\":\"Detected an explicit unescape in a Pug template, using either \u0027!=\u0027 or \u0027!{...}\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape)\\n - [https://pugjs.org/language/code.html#unescaped-buffered-code](https://pugjs.org/language/code.html#unescaped-buffered-code)\\n - [https://pugjs.org/language/attributes.html#unescaped-attributes](https://pugjs.org/language/attributes.html#unescaped-attributes)\\n\",\"text\":\"Detected an explicit unescape in a Pug template, using either \u0027!=\u0027 or \u0027!{...}\u0027. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape\",\"id\":\"javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape\",\"name\":\"javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: a(href=\u0027/\u0027+url). You may also consider setting the Content Security Policy (CSP) header.\"},\"help\":{\"markdown\":\"Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: a(href=\u0027/\u0027+url). You may also consider setting the Content Security Policy (CSP) header.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.pug.var-in-href.var-in-href)\\n - [https://github.com/pugjs/pug/issues/2952](https://github.com/pugjs/pug/issues/2952)\\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI)\\n\",\"text\":\"Detected a template variable used in an anchor tag with the \u0027href\u0027 attribute. This allows a malicious actor to input the \u0027javascript:\u0027 URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: a(href=\u0027/\u0027+url). You may also consider setting the Content Security Policy (CSP) header.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.pug.var-in-href.var-in-href\",\"id\":\"javascript.express.security.audit.xss.pug.var-in-href.var-in-href\",\"name\":\"javascript.express.security.audit.xss.pug.var-in-href.var-in-href\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.pug.var-in-href.var-in-href\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\"},\"help\":{\"markdown\":\"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag)\\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\\n - [https://github.com/ESAPI/owasp-esapi-js](https://github.com/ESAPI/owasp-esapi-js)\\n\",\"text\":\"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag\",\"id\":\"javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag\",\"name\":\"javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.\"},\"help\":{\"markdown\":\"By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.cors-misconfiguration.cors-misconfiguration)\\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)\\n\",\"text\":\"By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.cors-misconfiguration.cors-misconfiguration\",\"id\":\"javascript.express.security.cors-misconfiguration.cors-misconfiguration\",\"name\":\"javascript.express.security.cors-misconfiguration.cors-misconfiguration\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-346: Origin Validation Error\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.cors-misconfiguration.cors-misconfiguration\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\"},\"help\":{\"markdown\":\"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-data-exfiltration.express-data-exfiltration)\\n - [https://en.wikipedia.org/wiki/Mass_assignment_vulnerability](https://en.wikipedia.org/wiki/Mass_assignment_vulnerability)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\\n\",\"text\":\"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-data-exfiltration.express-data-exfiltration\",\"id\":\"javascript.express.security.express-data-exfiltration.express-data-exfiltration\",\"name\":\"javascript.express.security.express-data-exfiltration.express-data-exfiltration\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-data-exfiltration.express-data-exfiltration\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.\"},\"help\":{\"markdown\":\"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe)\\n - [https://github.com/astro/node-expat](https://github.com/astro/node-expat)\\n\",\"text\":\"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe\",\"id\":\"javascript.express.security.express-expat-xxe.express-expat-xxe\",\"name\":\"javascript.express.security.express-expat-xxe.express-expat-xxe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-expat-xxe.express-expat-xxe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.\"},\"help\":{\"markdown\":\"User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-insecure-template-usage.express-insecure-template-usage)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-insecure-template-usage.express-insecure-template-usage\",\"id\":\"javascript.express.security.express-insecure-template-usage.express-insecure-template-usage\",\"name\":\"javascript.express.security.express-insecure-template-usage.express-insecure-template-usage\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-insecure-template-usage.express-insecure-template-usage\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\"},\"help\":{\"markdown\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\\n\",\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret\",\"id\":\"javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret\",\"name\":\"javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"HIGH CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-phantom-injection.express-phantom-injection)\\n - [https://phantomjs.org/page-automation.html](https://phantomjs.org/page-automation.html)\\n\",\"text\":\"If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-phantom-injection.express-phantom-injection\",\"id\":\"javascript.express.security.express-phantom-injection.express-phantom-injection\",\"name\":\"javascript.express.security.express-phantom-injection.express-phantom-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-phantom-injection.express-phantom-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-puppeteer-injection.express-puppeteer-injection)\\n - [https://pptr.dev/api/puppeteer.page](https://pptr.dev/api/puppeteer.page)\\n\",\"text\":\"If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-puppeteer-injection.express-puppeteer-injection\",\"id\":\"javascript.express.security.express-puppeteer-injection.express-puppeteer-injection\",\"name\":\"javascript.express.security.express-puppeteer-injection.express-puppeteer-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-puppeteer-injection.express-puppeteer-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Make sure that unverified user data can not reach `sandbox`.\"},\"help\":{\"markdown\":\"Make sure that unverified user data can not reach `sandbox`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-sandbox-injection.express-sandbox-code-injection)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Make sure that unverified user data can not reach `sandbox`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-sandbox-injection.express-sandbox-code-injection\",\"id\":\"javascript.express.security.express-sandbox-injection.express-sandbox-code-injection\",\"name\":\"javascript.express.security.express-sandbox-injection.express-sandbox-code-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-sandbox-injection.express-sandbox-code-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Make sure that unverified user data can not reach `$VM`.\"},\"help\":{\"markdown\":\"Make sure that unverified user data can not reach `$VM`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-vm-injection.express-vm-injection)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Make sure that unverified user data can not reach `$VM`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-vm-injection.express-vm-injection\",\"id\":\"javascript.express.security.express-vm-injection.express-vm-injection\",\"name\":\"javascript.express.security.express-vm-injection.express-vm-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-vm-injection.express-vm-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Make sure that unverified user data can not reach `vm2`.\"},\"help\":{\"markdown\":\"Make sure that unverified user data can not reach `vm2`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Make sure that unverified user data can not reach `vm2`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection\",\"id\":\"javascript.express.security.express-vm2-injection.express-vm2-injection\",\"name\":\"javascript.express.security.express-vm2-injection.express-vm2-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-vm2-injection.express-vm2-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection)\\n - [https://www.npmjs.com/package/wkhtmltopdf](https://www.npmjs.com/package/wkhtmltopdf)\\n\",\"text\":\"If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection\",\"id\":\"javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection\",\"name\":\"javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `wkhtmltopdf` methods it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `wkhtmltopdf` methods it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection)\\n - [https://www.npmjs.com/package/wkhtmltopdf](https://www.npmjs.com/package/wkhtmltopdf)\\n\",\"text\":\"If unverified user data can reach the `wkhtmltopdf` methods it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection\",\"id\":\"javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection\",\"name\":\"javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\"},\"help\":{\"markdown\":\"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe)\\n - [https://www.npmjs.com/package/xml2json](https://www.npmjs.com/package/xml2json)\\n\",\"text\":\"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe\",\"id\":\"javascript.express.security.express-xml2json-xxe.express-xml2json-xxe\",\"name\":\"javascript.express.security.express-xml2json-xxe.express-xml2json-xxe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.express-xml2json-xxe.express-xml2json-xxe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.\"},\"help\":{\"markdown\":\"User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.injection.raw-html-format.raw-html-format)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.injection.raw-html-format.raw-html-format\",\"id\":\"javascript.express.security.injection.raw-html-format.raw-html-format\",\"name\":\"javascript.express.security.injection.raw-html-format.raw-html-format\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.injection.raw-html-format.raw-html-format\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\"},\"help\":{\"markdown\":\"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.require-request.require-request)\\n - [https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it](https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it)\\n\",\"text\":\"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.require-request.require-request\",\"id\":\"javascript.express.security.require-request.require-request\",\"name\":\"javascript.express.security.require-request.require-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-706: Use of Incorrectly-Resolved Name or Reference\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.require-request.require-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`.\"},\"help\":{\"markdown\":\"By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration)\\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)\\n\",\"text\":\"By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration\",\"id\":\"javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration\",\"name\":\"javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-451: User Interface (UI) Misrepresentation of Critical Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities\"},\"help\":{\"markdown\":\"User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup\",\"id\":\"javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup\",\"name\":\"javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.\"},\"help\":{\"markdown\":\"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection)\\n - [https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security](https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security)\\n\",\"text\":\"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection\",\"id\":\"javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection\",\"name\":\"javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"LOW CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile\"},\"help\":{\"markdown\":\"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash)\\n - [https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile](https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile)\\n\",\"text\":\"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash\",\"id\":\"javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash\",\"name\":\"javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-287: Improper Authentication\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\"},\"help\":{\"markdown\":\"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data\",\"id\":\"javascript.jose.security.audit.jose-exposed-data.jose-exposed-data\",\"name\":\"javascript.jose.security.audit.jose-exposed-data.jose-exposed-data\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"LOW CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.jose.security.audit.jose-exposed-data.jose-exposed-data\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\"},\"help\":{\"markdown\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\\n\",\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret\",\"id\":\"javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret\",\"name\":\"javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"HIGH CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\"},\"help\":{\"markdown\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg\",\"id\":\"javascript.jose.security.jwt-none-alg.jwt-none-alg\",\"name\":\"javascript.jose.security.jwt-none-alg.jwt-none-alg\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.jose.security.jwt-none-alg.jwt-none-alg\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\"},\"help\":{\"markdown\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify)\\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\\n\",\"text\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call \u0027.verify()\u0027 before using the token.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify\",\"id\":\"javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify\",\"name\":\"javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-345: Insufficient Verification of Data Authenticity\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\"},\"help\":{\"markdown\":\"The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data)\\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\\n\",\"text\":\"The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data\",\"id\":\"javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data\",\"name\":\"javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-522: Insufficiently Protected Credentials\",\"LOW CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A04:2021 - Insecure Design\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\"},\"help\":{\"markdown\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\\n\",\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret\",\"id\":\"javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret\",\"name\":\"javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"HIGH CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\"},\"help\":{\"markdown\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected use of the \u0027none\u0027 algorithm in a JWT token. The \u0027none\u0027 algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the \u0027none\u0027 algorithm. Instead, use an algorithm such as \u0027HS256\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg\",\"id\":\"javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg\",\"name\":\"javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set \u0027verify\u0027 to `true` before using the token.\"},\"help\":{\"markdown\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set \u0027verify\u0027 to `true` before using the token.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify)\\n - [https://www.npmjs.com/package/jwt-simple](https://www.npmjs.com/package/jwt-simple)\\n - [https://cwe.mitre.org/data/definitions/287](https://cwe.mitre.org/data/definitions/287)\\n - [https://cwe.mitre.org/data/definitions/345](https://cwe.mitre.org/data/definitions/345)\\n - [https://cwe.mitre.org/data/definitions/347](https://cwe.mitre.org/data/definitions/347)\\n\",\"text\":\"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token\u0027s integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set \u0027verify\u0027 to `true` before using the token.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify\",\"id\":\"javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify\",\"name\":\"javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-287: Improper Authentication\",\"CWE-345: Insufficient Verification of Data Authenticity\",\"CWE-347: Improper Verification of Cryptographic Signature\",\"HIGH CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.\"},\"help\":{\"markdown\":\"Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.code-string-concat.code-string-concat)\\n - [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval)\\n - [https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback](https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback)\\n - [https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/](https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/)\\n - [https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html](https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html)\\n\",\"text\":\"Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.code-string-concat.code-string-concat\",\"id\":\"javascript.lang.security.audit.code-string-concat.code-string-concat\",\"name\":\"javascript.lang.security.audit.code-string-concat.code-string-concat\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.code-string-concat.code-string-concat\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.\"},\"help\":{\"markdown\":\"Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions)\\n\",\"text\":\"Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell\",\"id\":\"javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell\",\"name\":\"javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.\"},\"help\":{\"markdown\":\"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp)\\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\\n\",\"text\":\"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp\",\"id\":\"javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp\",\"name\":\"javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1333: Inefficient Regular Expression Complexity\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.\"},\"help\":{\"markdown\":\"Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key)\\n - [https://rules.sonarsource.com/javascript/RSPEC-2068](https://rules.sonarsource.com/javascript/RSPEC-2068)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#key-management](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#key-management)\\n\",\"text\":\"Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key\",\"id\":\"javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key\",\"name\":\"javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"LOW CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"`$STR.replace` method will only replace the first occurrence when used with a string argument ($CHAR). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.\"},\"help\":{\"markdown\":\"`$STR.replace` method will only replace the first occurrence when used with a string argument ($CHAR). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"`$STR.replace` method will only replace the first occurrence when used with a string argument ($CHAR). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization\",\"id\":\"javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization\",\"name\":\"javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-116: Improper Encoding or Escaping of Output\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` node.js package.\"},\"help\":{\"markdown\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` node.js package.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.md5-used-as-password.md5-used-as-password)\\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\\n - [https://www.npmjs.com/package/bcrypt](https://www.npmjs.com/package/bcrypt)\\n\",\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` node.js package.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"id\":\"javascript.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"name\":\"javascript.lang.security.audit.md5-used-as-password.md5-used-as-password\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.md5-used-as-password.md5-used-as-password\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.\"},\"help\":{\"markdown\":\"Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal)\\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\\n\",\"text\":\"Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal\",\"id\":\"javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal\",\"name\":\"javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.\"},\"help\":{\"markdown\":\"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop)\\n - [https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\\n\",\"text\":\"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop\",\"id\":\"javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop\",\"name\":\"javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Found \u0027$SPAWN\u0027 with \u0027{shell: $SHELL}\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027{shell: false}\u0027 instead.\"},\"help\":{\"markdown\":\"Found \u0027$SPAWN\u0027 with \u0027{shell: $SHELL}\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027{shell: false}\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.spawn-shell-true.spawn-shell-true)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Found \u0027$SPAWN\u0027 with \u0027{shell: $SHELL}\u0027. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use \u0027{shell: false}\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.spawn-shell-true.spawn-shell-true\",\"id\":\"javascript.lang.security.audit.spawn-shell-true.spawn-shell-true\",\"name\":\"javascript.lang.security.audit.spawn-shell-true.spawn-shell-true\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.spawn-shell-true.spawn-shell-true\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])` can help prevent SQLi.\"},\"help\":{\"markdown\":\"Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])` can help prevent SQLi.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli)\\n - [https://knexjs.org/#Builder-fromRaw](https://knexjs.org/#Builder-fromRaw)\\n - [https://knexjs.org/#Builder-whereRaw](https://knexjs.org/#Builder-whereRaw)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw(\u0027SELECT $1 from table\u0027, [userinput])` can help prevent SQLi.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli\",\"id\":\"javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli\",\"name\":\"javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input(\u0027USER_ID\u0027, mssql.Int, id);`\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input(\u0027USER_ID\u0027, mssql.Int, id);`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli)\\n - [https://www.npmjs.com/package/mssql](https://www.npmjs.com/package/mssql)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input(\u0027USER_ID\u0027, mssql.Int, id);`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli\",\"id\":\"javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli\",\"name\":\"javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\"},\"help\":{\"markdown\":\"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli)\\n - [https://www.npmjs.com/package/mysql2](https://www.npmjs.com/package/mysql2)\\n - [https://www.npmjs.com/package/mysql](https://www.npmjs.com/package/mysql)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli\",\"id\":\"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli\",\"name\":\"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a node-postgres JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `client.query(\u0027SELECT $1 from table\u0027, [userinput])`\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a node-postgres JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `client.query(\u0027SELECT $1 from table\u0027, [userinput])`\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli)\\n - [https://node-postgres.com/features/queries](https://node-postgres.com/features/queries)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a node-postgres JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `client.query(\u0027SELECT $1 from table\u0027, [userinput])`\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli\",\"id\":\"javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli\",\"name\":\"javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes\",\"LOW CONFIDENCE\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Cannot determine what \u0027$UNK\u0027 is and it is used with a \u0027\u003cscript\u003e\u0027 tag. This could be susceptible to cross-site scripting (XSS). Ensure \u0027$UNK\u0027 is not externally controlled, or sanitize this data.\"},\"help\":{\"markdown\":\"Cannot determine what \u0027$UNK\u0027 is and it is used with a \u0027\u003cscript\u003e\u0027 tag. This could be susceptible to cross-site scripting (XSS). Ensure \u0027$UNK\u0027 is not externally controlled, or sanitize this data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag)\\n - [https://www.developsec.com/2017/11/09/xss-in-a-script-tag/](https://www.developsec.com/2017/11/09/xss-in-a-script-tag/)\\n - [https://github.com/juice-shop/juice-shop/blob/1ceb8751e986dacd3214a618c37e7411be6bc11a/routes/videoHandler.ts#L68](https://github.com/juice-shop/juice-shop/blob/1ceb8751e986dacd3214a618c37e7411be6bc11a/routes/videoHandler.ts#L68)\\n\",\"text\":\"Cannot determine what \u0027$UNK\u0027 is and it is used with a \u0027\u003cscript\u003e\u0027 tag. This could be susceptible to cross-site scripting (XSS). Ensure \u0027$UNK\u0027 is not externally controlled, or sanitize this data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag\",\"id\":\"javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag\",\"name\":\"javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring)\\n - [https://cwe.mitre.org/data/definitions/134.html](https://cwe.mitre.org/data/definitions/134.html)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring\",\"id\":\"javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring\",\"name\":\"javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-134: Use of Externally-Controlled Format String\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.\"},\"help\":{\"markdown\":\"Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert)\\n - [https://cwe.mitre.org/data/definitions/119.html](https://cwe.mitre.org/data/definitions/119.html)\\n\",\"text\":\"Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert\",\"id\":\"javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert\",\"name\":\"javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. \"},\"help\":{\"markdown\":\"Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. \\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-child-process.detect-child-process)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions)\\n\",\"text\":\"Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. \\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.detect-child-process.detect-child-process\",\"id\":\"javascript.lang.security.detect-child-process.detect-child-process\",\"name\":\"javascript.lang.security.detect-child-process.detect-child-process\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.detect-child-process.detect-child-process\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.\"},\"help\":{\"markdown\":\"Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape\",\"id\":\"javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape\",\"name\":\"javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-116: Improper Encoding or Escaping of Output\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\"},\"help\":{\"markdown\":\"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression)\\n - [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)\\n\",\"text\":\"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression\",\"id\":\"javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression\",\"name\":\"javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.\"},\"help\":{\"markdown\":\"Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket\",\"id\":\"javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket\",\"name\":\"javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.\"},\"help\":{\"markdown\":\"Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override)\\n - [https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/bypass-connect-csrf-protection-by-abusing.md](https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/bypass-connect-csrf-protection-by-abusing.md)\\n\",\"text\":\"Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override\",\"id\":\"javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override\",\"name\":\"javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-352: Cross-Site Request Forgery (CSRF)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"OWASP-A05:2017 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.\"},\"help\":{\"markdown\":\"Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes\",\"id\":\"javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes\",\"name\":\"javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\"},\"help\":{\"markdown\":\"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\\n - [https://en.wikipedia.org/wiki/Mass_assignment_vulnerability](https://en.wikipedia.org/wiki/Mass_assignment_vulnerability)\\n\",\"text\":\"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign\",\"id\":\"javascript.lang.security.insecure-object-assign.insecure-object-assign\",\"name\":\"javascript.lang.security.insecure-object-assign.insecure-object-assign\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.insecure-object-assign.insecure-object-assign\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone \u0027ext::sh -c whoami% \u003e\u00262\u0027 will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.\"},\"help\":{\"markdown\":\"Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone \u0027ext::sh -c whoami% \u003e\u00262\u0027 will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.spawn-git-clone.spawn-git-clone)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone \u0027ext::sh -c whoami% \u003e\u00262\u0027 will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.lang.security.spawn-git-clone.spawn-git-clone\",\"id\":\"javascript.lang.security.spawn-git-clone.spawn-git-clone\",\"name\":\"javascript.lang.security.spawn-git-clone.spawn-git-clone\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.lang.security.spawn-git-clone.spawn-git-clone\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input.\"},\"help\":{\"markdown\":\"If user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport)\\n - [https://github.com/microsoft/monaco-editor/issues/801](https://github.com/microsoft/monaco-editor/issues/801)\\n\",\"text\":\"If user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport\",\"id\":\"javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport\",\"name\":\"javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The \u0027final\u0027 call of a Decipher object checks the authentication tag in a mode for authenticated encryption. Failing to call \u0027final\u0027 will invalidate all integrity guarantees of the released ciphertext.\"},\"help\":{\"markdown\":\"The \u0027final\u0027 call of a Decipher object checks the authentication tag in a mode for authenticated encryption. Failing to call \u0027final\u0027 will invalidate all integrity guarantees of the released ciphertext.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.aead-no-final.aead-no-final)\\n - [https://nodejs.org/api/crypto.html#deciphersetauthtagbuffer-encoding](https://nodejs.org/api/crypto.html#deciphersetauthtagbuffer-encoding)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\\n\",\"text\":\"The \u0027final\u0027 call of a Decipher object checks the authentication tag in a mode for authenticated encryption. Failing to call \u0027final\u0027 will invalidate all integrity guarantees of the released ciphertext.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.node-crypto.security.aead-no-final.aead-no-final\",\"id\":\"javascript.node-crypto.security.aead-no-final.aead-no-final\",\"name\":\"javascript.node-crypto.security.aead-no-final.aead-no-final\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-310: CWE CATEGORY: Cryptographic Issues\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.node-crypto.security.aead-no-final.aead-no-final\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The deprecated functions \u0027createCipher\u0027 and \u0027createDecipher\u0027 generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they\u0027re not completely broken. Use \u0027createCipheriv\u0027 or \u0027createDecipheriv\u0027 instead.\"},\"help\":{\"markdown\":\"The deprecated functions \u0027createCipher\u0027 and \u0027createDecipher\u0027 generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they\u0027re not completely broken. Use \u0027createCipheriv\u0027 or \u0027createDecipheriv\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv)\\n - [https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options)\\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options)\\n\",\"text\":\"The deprecated functions \u0027createCipher\u0027 and \u0027createDecipher\u0027 generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they\u0027re not completely broken. Use \u0027createCipheriv\u0027 or \u0027createDecipheriv\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv\",\"id\":\"javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv\",\"name\":\"javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1204: Generation of Weak Initialization Vector (IV)\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"The call to \u0027createDecipheriv\u0027 with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.\"},\"help\":{\"markdown\":\"The call to \u0027createDecipheriv\u0027 with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length)\\n - [https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/](https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/)\\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options](https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\\n\",\"text\":\"The call to \u0027createDecipheriv\u0027 with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length\",\"id\":\"javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length\",\"name\":\"javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-310: CWE CATEGORY: Cryptographic Issues\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe)\\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\\n\",\"text\":\"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe\",\"id\":\"javascript.node-expat.security.audit.expat-xxe.expat-xxe\",\"name\":\"javascript.node-expat.security.audit.expat-xxe.expat-xxe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"LOW CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.node-expat.security.audit.expat-xxe.expat-xxe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\"},\"help\":{\"markdown\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\\n\",\"text\":\"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret\",\"id\":\"javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret\",\"name\":\"javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"HIGH CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection\",\"id\":\"javascript.phantom.security.audit.phantom-injection.phantom-injection\",\"name\":\"javascript.phantom.security.audit.phantom-injection.phantom-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.phantom.security.audit.phantom-injection.phantom-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection\",\"id\":\"javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection\",\"name\":\"javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection\",\"id\":\"javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection\",\"name\":\"javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection\",\"id\":\"javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection\",\"name\":\"javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\"},\"help\":{\"markdown\":\"Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools\",\"id\":\"javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools\",\"name\":\"javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection\",\"id\":\"javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection\",\"name\":\"javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection\",\"id\":\"javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection\",\"name\":\"javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection\",\"id\":\"javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection\",\"name\":\"javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection\",\"id\":\"javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection\",\"name\":\"javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\"},\"help\":{\"markdown\":\"Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools\",\"id\":\"javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools\",\"name\":\"javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection\",\"id\":\"javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection\",\"name\":\"javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection\",\"id\":\"javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection\",\"name\":\"javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Make sure that unverified user data can not reach `sandbox`.\"},\"help\":{\"markdown\":\"Make sure that unverified user data can not reach `sandbox`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Make sure that unverified user data can not reach `sandbox`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection\",\"id\":\"javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection\",\"name\":\"javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Use of \u0027ondoctype\u0027 in \u0027sax\u0027 library detected. By default, \u0027sax\u0027 won\u0027t do anything with custom DTD entity definitions. If you\u0027re implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.\"},\"help\":{\"markdown\":\"Use of \u0027ondoctype\u0027 in \u0027sax\u0027 library detected. By default, \u0027sax\u0027 won\u0027t do anything with custom DTD entity definitions. If you\u0027re implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sax.security.audit.sax-xxe.sax-xxe)\\n - [https://github.com/Leonidas-from-XIV/node-xml2js/issues/415](https://github.com/Leonidas-from-XIV/node-xml2js/issues/415)\\n - [https://github.com/isaacs/sax-js](https://github.com/isaacs/sax-js)\\n\",\"text\":\"Use of \u0027ondoctype\u0027 in \u0027sax\u0027 library detected. By default, \u0027sax\u0027 won\u0027t do anything with custom DTD entity definitions. If you\u0027re implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.sax.security.audit.sax-xxe.sax-xxe\",\"id\":\"javascript.sax.security.audit.sax-xxe.sax-xxe\",\"name\":\"javascript.sax.security.audit.sax-xxe.sax-xxe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"LOW CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.sax.security.audit.sax-xxe.sax-xxe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \\\"ssl: true\\\" or define settings \\\"ssl: {...}\\\"\"},\"help\":{\"markdown\":\"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \\\"ssl: true\\\" or define settings \\\"ssl: {...}\\\"\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls)\\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\\n - [https://nodejs.org/api/tls.html#tls_tls_default_min_version](https://nodejs.org/api/tls.html#tls_tls_default_min_version)\\n\",\"text\":\"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \\\"ssl: true\\\" or define settings \\\"ssl: {...}\\\"\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls\",\"id\":\"javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls\",\"name\":\"javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\"},\"help\":{\"markdown\":\"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection)\\n - [https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements](https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements)\\n\",\"text\":\"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection\",\"id\":\"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection\",\"name\":\"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Set \\\"rejectUnauthorized\\\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \\\"rejectUnauthorized\\\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \\\"ca\\\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\"},\"help\":{\"markdown\":\"Set \\\"rejectUnauthorized\\\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \\\"rejectUnauthorized\\\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \\\"ca\\\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation)\\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\\n\",\"text\":\"Set \\\"rejectUnauthorized\\\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \\\"rejectUnauthorized\\\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \\\"ca\\\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation\",\"id\":\"javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation\",\"name\":\"javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\"},\"help\":{\"markdown\":\"TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version)\\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\\n - [https://nodejs.org/api/tls.html#tls_tls_default_min_version](https://nodejs.org/api/tls.html#tls_tls_default_min_version)\\n\",\"text\":\"TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version\",\"id\":\"javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version\",\"name\":\"javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"`serialize-javascript` used with `unsafe` parameter, this could be vulnerable to XSS.\"},\"help\":{\"markdown\":\"`serialize-javascript` used with `unsafe` parameter, this could be vulnerable to XSS.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"`serialize-javascript` used with `unsafe` parameter, this could be vulnerable to XSS.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript\",\"id\":\"javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript\",\"name\":\"javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `exec` method it can result in Remote Code Execution\"},\"help\":{\"markdown\":\"If unverified user data can reach the `exec` method it can result in Remote Code Execution\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"If unverified user data can reach the `exec` method it can result in Remote Code Execution\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection\",\"id\":\"javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection\",\"name\":\"javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Potential arbitrary code execution, piped to eval\"},\"help\":{\"markdown\":\"Potential arbitrary code execution, piped to eval\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Potential arbitrary code execution, piped to eval\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution\",\"id\":\"javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution\",\"name\":\"javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Make sure that unverified user data can not reach `vm2`.\"},\"help\":{\"markdown\":\"Make sure that unverified user data can not reach `vm2`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Make sure that unverified user data can not reach `vm2`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection\",\"id\":\"javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection\",\"name\":\"javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Make sure that unverified user data can not reach `vm2`.\"},\"help\":{\"markdown\":\"Make sure that unverified user data can not reach `vm2`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"Make sure that unverified user data can not reach `vm2`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection\",\"id\":\"javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection\",\"name\":\"javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content.\"},\"help\":{\"markdown\":\"Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html)\\n - [https://vuejs.org/v2/guide/syntax.html#Raw-HTML](https://vuejs.org/v2/guide/syntax.html#Raw-HTML)\\n\",\"text\":\"Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html\",\"id\":\"javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html\",\"name\":\"javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `wkhtmltoimage` it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `wkhtmltoimage` it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `wkhtmltoimage` it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection\",\"id\":\"javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection\",\"name\":\"javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection\",\"id\":\"javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection\",\"name\":\"javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"LOW CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\"},\"help\":{\"markdown\":\"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe)\\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\\n\",\"text\":\"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe\",\"id\":\"javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe\",\"name\":\"javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-611: Improper Restriction of XML External Entity Reference\",\"LOW CONFIDENCE\",\"OWASP-A04:2017 - XML External Entities (XXE)\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.\"},\"help\":{\"markdown\":\"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket)\\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)\\n\",\"text\":\"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket\",\"id\":\"json.aws.security.public-s3-bucket.public-s3-bucket\",\"name\":\"json.aws.security.public-s3-bucket.public-s3-bucket\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: json.aws.security.public-s3-bucket.public-s3-bucket\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket.\"},\"help\":{\"markdown\":\"Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.public-s3-policy-statement.public-s3-policy-statement)\\n - [https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html)\\n\",\"text\":\"Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/json.aws.security.public-s3-policy-statement.public-s3-policy-statement\",\"id\":\"json.aws.security.public-s3-policy-statement.public-s3-policy-statement\",\"name\":\"json.aws.security.public-s3-policy-statement.public-s3-policy-statement\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: json.aws.security.public-s3-policy-statement.public-s3-policy-statement\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`.\"},\"help\":{\"markdown\":\"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role)\\n - [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/)\\n\",\"text\":\"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::\u003caccount_id\u003e:root`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role\",\"id\":\"json.aws.security.wildcard-assume-role.wildcard-assume-role\",\"name\":\"json.aws.security.wildcard-assume-role.wildcard-assume-role\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-250: Execution with Unnecessary Privileges\",\"MEDIUM CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"OWASP-A06:2017 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: json.aws.security.wildcard-assume-role.wildcard-assume-role\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\"},\"help\":{\"markdown\":\"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded\",\"id\":\"kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded\",\"name\":\"kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-798: Use of Hard-coded Credentials\",\"MEDIUM CONFIDENCE\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\"},\"help\":{\"markdown\":\"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind)\\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\\n\",\"text\":\"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind\",\"id\":\"kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind\",\"name\":\"kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-287: Improper Authentication\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\\\"%02X\\\", ...)\u0027 instead.\"},\"help\":{\"markdown\":\"\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\\\"%02X\\\", ...)\u0027 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion)\\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\\n\",\"text\":\"\u0027Integer.toHexString()\u0027 strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use \u0027String.format(\\\"%02X\\\", ...)\u0027 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion\",\"id\":\"kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion\",\"name\":\"kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-704: Incorrect Type Conversion or Cast\",\"LOW CONFIDENCE\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\"},\"help\":{\"markdown\":\"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call\",\"id\":\"kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call\",\"name\":\"kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\"},\"help\":{\"markdown\":\"A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly)\\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\\n\",\"text\":\"A cookie was detected without setting the \u0027HttpOnly\u0027 flag. The \u0027HttpOnly\u0027 flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the \u0027HttpOnly\u0027 flag by calling \u0027cookie.setHttpOnly(true);\u0027\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly\",\"id\":\"kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly\",\"name\":\"kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\"},\"help\":{\"markdown\":\"A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag)\\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\\n\",\"text\":\"A cookie was detected without setting the \u0027secure\u0027 flag. The \u0027secure\u0027 flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the \u0027secure\u0027 flag by calling \u0027$COOKIE.setSecure(true);\u0027\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag\",\"id\":\"kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag\",\"name\":\"kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute\",\"LOW CONFIDENCE\",\"OWASP-A05:2021 - Security Misconfiguration\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.\"},\"help\":{\"markdown\":\"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated\",\"id\":\"kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated\",\"name\":\"kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\"},\"help\":{\"markdown\":\"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.ecb-cipher.ecb-cipher)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.ecb-cipher.ecb-cipher\",\"id\":\"kotlin.lang.security.ecb-cipher.ecb-cipher\",\"name\":\"kotlin.lang.security.ecb-cipher.ecb-cipher\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.ecb-cipher.ecb-cipher\"}},{\"defaultConfiguration\":{\"level\":\"note\"},\"fullDescription\":{\"text\":\"GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.\"},\"help\":{\"markdown\":\"GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.gcm-detection.gcm-detection)\\n - [https://cwe.mitre.org/data/definitions/323.html](https://cwe.mitre.org/data/definitions/323.html)\\n\",\"text\":\"GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.gcm-detection.gcm-detection\",\"id\":\"kotlin.lang.security.gcm-detection.gcm-detection\",\"name\":\"kotlin.lang.security.gcm-detection.gcm-detection\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-323: Reusing a Nonce, Key Pair in Encryption\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.gcm-detection.gcm-detection\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\"},\"help\":{\"markdown\":\"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\\\"AES/CBC/PKCS7PADDING\\\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher\",\"id\":\"kotlin.lang.security.no-null-cipher.no-null-cipher\",\"name\":\"kotlin.lang.security.no-null-cipher.no-null-cipher\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.no-null-cipher.no-null-cipher\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead\"},\"help\":{\"markdown\":\"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by \u0027SSLSocketFactory\u0027 or \u0027SSLServerSocketFactory\u0027 instead\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket\",\"id\":\"kotlin.lang.security.unencrypted-socket.unencrypted-socket\",\"name\":\"kotlin.lang.security.unencrypted-socket.unencrypted-socket\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.unencrypted-socket.unencrypted-socket\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\"},\"help\":{\"markdown\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5\",\"id\":\"kotlin.lang.security.use-of-md5.use-of-md5\",\"name\":\"kotlin.lang.security.use-of-md5.use-of-md5\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.use-of-md5.use-of-md5\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\"},\"help\":{\"markdown\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.use-of-sha1.use-of-sha1)\\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\\n\",\"text\":\"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.use-of-sha1.use-of-sha1\",\"id\":\"kotlin.lang.security.use-of-sha1.use-of-sha1\",\"name\":\"kotlin.lang.security.use-of-sha1.use-of-sha1\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.use-of-sha1.use-of-sha1\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"RSA keys should be at least 2048 bits based on NIST recommendation.\"},\"help\":{\"markdown\":\"RSA keys should be at least 2048 bits based on NIST recommendation.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.weak-rsa.use-of-weak-rsa-key)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\\n\",\"text\":\"RSA keys should be at least 2048 bits based on NIST recommendation.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/kotlin.lang.security.weak-rsa.use-of-weak-rsa-key\",\"id\":\"kotlin.lang.security.weak-rsa.use-of-weak-rsa-key\",\"name\":\"kotlin.lang.security.weak-rsa.use-of-weak-rsa-key\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-326: Inadequate Encryption Strength\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: kotlin.lang.security.weak-rsa.use-of-weak-rsa-key\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Pervasives is deprecated and will not be available after 4.10. Use Stdlib.\"},\"help\":{\"markdown\":\"Pervasives is deprecated and will not be available after 4.10. Use Stdlib.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.compatibility.deprecated.deprecated-pervasives)\\n\",\"text\":\"Pervasives is deprecated and will not be available after 4.10. Use Stdlib.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ocaml.lang.compatibility.deprecated.deprecated-pervasives\",\"id\":\"ocaml.lang.compatibility.deprecated.deprecated-pervasives\",\"name\":\"ocaml.lang.compatibility.deprecated.deprecated-pervasives\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: ocaml.lang.compatibility.deprecated.deprecated-pervasives\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027input_line\u0027 leaves a \u0027\\\\r\u0027 (CR) character when reading lines from a Windows text file, whose lines end in \\\"\\\\r\\\\n\\\" (CRLF). This is a problem for any Windows file that is being read either on a Unix-like platform or on Windows in binary mode. If the code already takes care of removing any trailing \u0027\\\\r\u0027 after reading the line, add a \u0027(* nosemgrep *)\u0027 comment to disable this warning.\"},\"help\":{\"markdown\":\"\u0027input_line\u0027 leaves a \u0027\\\\r\u0027 (CR) character when reading lines from a Windows text file, whose lines end in \\\"\\\\r\\\\n\\\" (CRLF). This is a problem for any Windows file that is being read either on a Unix-like platform or on Windows in binary mode. If the code already takes care of removing any trailing \u0027\\\\r\u0027 after reading the line, add a \u0027(* nosemgrep *)\u0027 comment to disable this warning.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.crlf-support.broken-input-line)\\n\",\"text\":\"\u0027input_line\u0027 leaves a \u0027\\\\r\u0027 (CR) character when reading lines from a Windows text file, whose lines end in \\\"\\\\r\\\\n\\\" (CRLF). This is a problem for any Windows file that is being read either on a Unix-like platform or on Windows in binary mode. If the code already takes care of removing any trailing \u0027\\\\r\u0027 after reading the line, add a \u0027(* nosemgrep *)\u0027 comment to disable this warning.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ocaml.lang.portability.crlf-support.broken-input-line\",\"id\":\"ocaml.lang.portability.crlf-support.broken-input-line\",\"name\":\"ocaml.lang.portability.crlf-support.broken-input-line\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: ocaml.lang.portability.crlf-support.broken-input-line\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027open_in\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_in_bin\u0027 or \u0027open_in_gen [Open_binary]\u0027. If you really want CRLF-to-LF translations to take place when running on Windows, use \u0027open_in_gen [Open_text]\u0027.\"},\"help\":{\"markdown\":\"\u0027open_in\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_in_bin\u0027 or \u0027open_in_gen [Open_binary]\u0027. If you really want CRLF-to-LF translations to take place when running on Windows, use \u0027open_in_gen [Open_text]\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode)\\n\",\"text\":\"\u0027open_in\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_in_bin\u0027 or \u0027open_in_gen [Open_binary]\u0027. If you really want CRLF-to-LF translations to take place when running on Windows, use \u0027open_in_gen [Open_text]\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode\",\"id\":\"ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode\",\"name\":\"ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u0027open_out\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_out_bin\u0027 or \u0027open_out_gen [Open_binary]\u0027. If you really want LF-to-CRLF translations to take place when running on Windows, use \u0027open_out_gen [Open_text]\u0027.\"},\"help\":{\"markdown\":\"\u0027open_out\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_out_bin\u0027 or \u0027open_out_gen [Open_binary]\u0027. If you really want LF-to-CRLF translations to take place when running on Windows, use \u0027open_out_gen [Open_text]\u0027.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode)\\n\",\"text\":\"\u0027open_out\u0027 behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use \u0027open_out_bin\u0027 or \u0027open_out_gen [Open_binary]\u0027. If you really want LF-to-CRLF translations to take place when running on Windows, use \u0027open_out_gen [Open_text]\u0027.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode\",\"id\":\"ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode\",\"name\":\"ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"You should probably use Filename.get_temp_dirname().\"},\"help\":{\"markdown\":\"You should probably use Filename.get_temp_dirname().\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string)\\n\",\"text\":\"You should probably use Filename.get_temp_dirname().\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string\",\"id\":\"ocaml.lang.portability.slash-tmp.not-portable-tmp-string\",\"name\":\"ocaml.lang.portability.slash-tmp.not-portable-tmp-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[]},\"shortDescription\":{\"text\":\"Semgrep Finding: ocaml.lang.portability.slash-tmp.not-portable-tmp-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Unsafe functions do not perform boundary checks or have other side effects, use with care.\"},\"help\":{\"markdown\":\"Unsafe functions do not perform boundary checks or have other side effects, use with care.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.security.unsafe.ocamllint-unsafe)\\n - [https://v2.ocaml.org/api/Bigarray.Array1.html#VALunsafe_get](https://v2.ocaml.org/api/Bigarray.Array1.html#VALunsafe_get)\\n - [https://v2.ocaml.org/api/Bytes.html#VALunsafe_to_string](https://v2.ocaml.org/api/Bytes.html#VALunsafe_to_string)\\n\",\"text\":\"Unsafe functions do not perform boundary checks or have other side effects, use with care.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/ocaml.lang.security.unsafe.ocamllint-unsafe\",\"id\":\"ocaml.lang.security.unsafe.ocamllint-unsafe\",\"name\":\"ocaml.lang.security.unsafe.ocamllint-unsafe\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-242: Use of Inherently Dangerous Function (4.12)\",\"MEDIUM CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: ocaml.lang.security.unsafe.ocamllint-unsafe\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected string concatenation with a non-literal variable in a Doctrine DBAL query method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\"},\"help\":{\"markdown\":\"Detected string concatenation with a non-literal variable in a Doctrine DBAL query method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query)\\n - [https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/security.html](https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/security.html)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"Detected string concatenation with a non-literal variable in a Doctrine DBAL query method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query\",\"id\":\"php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query\",\"name\":\"php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\"},\"help\":{\"markdown\":\"`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query)\\n - [https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/query-builder.html#security-safely-preventing-sql-injection](https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/query-builder.html#security-safely-preventing-sql-injection)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query\",\"id\":\"php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query\",\"name\":\"php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Calling assert with user input is equivalent to eval\u0027ing.\"},\"help\":{\"markdown\":\"Calling assert with user input is equivalent to eval\u0027ing.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.assert-use.assert-use)\\n - [https://www.php.net/manual/en/function.assert](https://www.php.net/manual/en/function.assert)\\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/AssertsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/AssertsSniff.php)\\n\",\"text\":\"Calling assert with user input is equivalent to eval\u0027ing.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.assert-use.assert-use\",\"id\":\"php.lang.security.assert-use.assert-use\",\"name\":\"php.lang.security.assert-use.assert-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\",\"HIGH CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.assert-use.assert-use\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.\"},\"help\":{\"markdown\":\"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate)\\n - [https://www.php.net/manual/en/function.openssl-decrypt.php](https://www.php.net/manual/en/function.openssl-decrypt.php)\\n\",\"text\":\"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate\",\"id\":\"php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate\",\"name\":\"php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-252: Unchecked Return Value\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\"},\"help\":{\"markdown\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.audit.sha224-hash.sha224-hash)\\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\\n\",\"text\":\"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.audit.sha224-hash.sha224-hash\",\"id\":\"php.lang.security.audit.sha224-hash.sha224-hash\",\"name\":\"php.lang.security.audit.sha224-hash.sha224-hash\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-328: Use of Weak Hash\",\"HIGH CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.audit.sha224-hash.sha224-hash\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Backticks use may lead to command injection vulnerabilities.\"},\"help\":{\"markdown\":\"Backticks use may lead to command injection vulnerabilities.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.backticks-use.backticks-use)\\n - [https://www.php.net/manual/en/language.operators.execution.php](https://www.php.net/manual/en/language.operators.execution.php)\\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/BackticksSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/BackticksSniff.php)\\n\",\"text\":\"Backticks use may lead to command injection vulnerabilities.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.backticks-use.backticks-use\",\"id\":\"php.lang.security.backticks-use.backticks-use\",\"name\":\"php.lang.security.backticks-use.backticks-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.backticks-use.backticks-use\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens.\"},\"help\":{\"markdown\":\"The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.base-convert-loses-precision.base-convert-loses-precision)\\n - [https://www.php.net/base_convert](https://www.php.net/base_convert)\\n - [https://www.sjoerdlangkemper.nl/2017/03/15/dont-use-base-convert-on-random-tokens/](https://www.sjoerdlangkemper.nl/2017/03/15/dont-use-base-convert-on-random-tokens/)\\n\",\"text\":\"The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.base-convert-loses-precision.base-convert-loses-precision\",\"id\":\"php.lang.security.base-convert-loses-precision.base-convert-loses-precision\",\"name\":\"php.lang.security.base-convert-loses-precision.base-convert-loses-precision\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-190: Integer Overflow or Wraparound\",\"HIGH CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.base-convert-loses-precision.base-convert-loses-precision\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)\"},\"help\":{\"markdown\":\"SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off)\\n - [https://www.saotn.org/dont-turn-off-curlopt_ssl_verifypeer-fix-php-configuration/](https://www.saotn.org/dont-turn-off-curlopt_ssl_verifypeer-fix-php-configuration/)\\n\",\"text\":\"SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off\",\"id\":\"php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off\",\"name\":\"php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Do not call \u0027extract()\u0027 on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.\"},\"help\":{\"markdown\":\"Do not call \u0027extract()\u0027 on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.deserialization.extract-user-data)\\n - [https://www.php.net/manual/en/function.extract.php#refsect1-function.extract-notes](https://www.php.net/manual/en/function.extract.php#refsect1-function.extract-notes)\\n\",\"text\":\"Do not call \u0027extract()\u0027 on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.deserialization.extract-user-data\",\"id\":\"php.lang.security.deserialization.extract-user-data\",\"name\":\"php.lang.security.deserialization.extract-user-data\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-502: Deserialization of Untrusted Data\",\"MEDIUM CONFIDENCE\",\"OWASP-A08:2017 - Insecure Deserialization\",\"OWASP-A08:2021 - Software and Data Integrity Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.deserialization.extract-user-data\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Evaluating non-constant commands. This can lead to command injection.\"},\"help\":{\"markdown\":\"Evaluating non-constant commands. This can lead to command injection.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.eval-use.eval-use)\\n - [https://www.php.net/manual/en/function.eval](https://www.php.net/manual/en/function.eval)\\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php)\\n\",\"text\":\"Evaluating non-constant commands. This can lead to command injection.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.eval-use.eval-use\",\"id\":\"php.lang.security.eval-use.eval-use\",\"name\":\"php.lang.security.eval-use.eval-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.eval-use.eval-use\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Executing non-constant commands. This can lead to command injection.\"},\"help\":{\"markdown\":\"Executing non-constant commands. This can lead to command injection.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.exec-use.exec-use)\\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/SystemExecFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/SystemExecFunctionsSniff.php)\\n\",\"text\":\"Executing non-constant commands. This can lead to command injection.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.exec-use.exec-use\",\"id\":\"php.lang.security.exec-use.exec-use\",\"name\":\"php.lang.security.exec-use.exec-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.exec-use.exec-use\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"FTP allows for unencrypted file transfers. Consider using an encrypted alternative.\"},\"help\":{\"markdown\":\"FTP allows for unencrypted file transfers. Consider using an encrypted alternative.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use)\\n - [https://www.php.net/manual/en/intro.ftp.php](https://www.php.net/manual/en/intro.ftp.php)\\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php)\\n\",\"text\":\"FTP allows for unencrypted file transfers. Consider using an encrypted alternative.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use\",\"id\":\"php.lang.security.ftp-use.ftp-use\",\"name\":\"php.lang.security.ftp-use.ftp-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-319: Cleartext Transmission of Sensitive Information\",\"LOW CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.ftp-use.ftp-use\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"`Printing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.\"},\"help\":{\"markdown\":\"`Printing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.printed-request.printed-request)\\n - [https://www.php.net/manual/en/function.htmlentities.php](https://www.php.net/manual/en/function.htmlentities.php)\\n - [https://www.php.net/manual/en/reserved.variables.request.php](https://www.php.net/manual/en/reserved.variables.request.php)\\n - [https://www.php.net/manual/en/reserved.variables.post.php](https://www.php.net/manual/en/reserved.variables.post.php)\\n - [https://www.php.net/manual/en/reserved.variables.get.php](https://www.php.net/manual/en/reserved.variables.get.php)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"`Printing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.injection.printed-request.printed-request\",\"id\":\"php.lang.security.injection.printed-request.printed-request\",\"name\":\"php.lang.security.injection.printed-request.printed-request\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"OWASP-A07:2017 - Cross-Site Scripting (XSS)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.injection.printed-request.printed-request\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Callable based on user input risks remote code execution.\"},\"help\":{\"markdown\":\"Callable based on user input risks remote code execution.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-callable.tainted-callable)\\n - [https://www.php.net/manual/en/language.types.callable.php](https://www.php.net/manual/en/language.types.callable.php)\\n\",\"text\":\"Callable based on user input risks remote code execution.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.injection.tainted-callable.tainted-callable\",\"id\":\"php.lang.security.injection.tainted-callable.tainted-callable\",\"name\":\"php.lang.security.injection.tainted-callable.tainted-callable\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.injection.tainted-callable.tainted-callable\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User input is passed to a function that executes a shell command. This can lead to remote code execution.\"},\"help\":{\"markdown\":\"User input is passed to a function that executes a shell command. This can lead to remote code execution.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-exec.tainted-exec)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"User input is passed to a function that executes a shell command. This can lead to remote code execution.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.injection.tainted-exec.tainted-exec\",\"id\":\"php.lang.security.injection.tainted-exec.tainted-exec\",\"name\":\"php.lang.security.injection.tainted-exec.tainted-exec\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.injection.tainted-exec.tainted-exec\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"File name based on user input risks server-side request forgery.\"},\"help\":{\"markdown\":\"File name based on user input risks server-side request forgery.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename)\\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\\n\",\"text\":\"File name based on user input risks server-side request forgery.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename\",\"id\":\"php.lang.security.injection.tainted-filename.tainted-filename\",\"name\":\"php.lang.security.injection.tainted-filename.tainted-filename\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.injection.tainted-filename.tainted-filename\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"\u003c- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.\"},\"help\":{\"markdown\":\"\u003c- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation)\\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\\n\",\"text\":\"\u003c- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation\",\"id\":\"php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation\",\"name\":\"php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.\"},\"help\":{\"markdown\":\"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session)\\n - [https://en.wikipedia.org/wiki/Session_poisoning](https://en.wikipedia.org/wiki/Session_poisoning)\\n\",\"text\":\"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session\",\"id\":\"php.lang.security.injection.tainted-session.tainted-session\",\"name\":\"php.lang.security.injection.tainted-session.tainted-session\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-284: Improper Access Control\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2021 - Broken Access Control\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.injection.tainted-session.tainted-session\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli-\u003eprepare(\\\"INSERT INTO test(id, label) VALUES (?, ?)\\\");`) or a safe library.\"},\"help\":{\"markdown\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli-\u003eprepare(\\\"INSERT INTO test(id, label) VALUES (?, ?)\\\");`) or a safe library.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string)\\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\\n\",\"text\":\"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli-\u003eprepare(\\\"INSERT INTO test(id, label) VALUES (?, ?)\\\");`) or a safe library.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string\",\"id\":\"php.lang.security.injection.tainted-sql-string.tainted-sql-string\",\"name\":\"php.lang.security.injection.tainted-sql-string.tainted-sql-string\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\",\"MEDIUM CONFIDENCE\",\"OWASP-A01:2017 - Injection\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.injection.tainted-sql-string.tainted-sql-string\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\"},\"help\":{\"markdown\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host)\\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\\n\",\"text\":\"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host\",\"id\":\"php.lang.security.injection.tainted-url-host.tainted-url-host\",\"name\":\"php.lang.security.injection.tainted-url-host.tainted-url-host\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-918: Server-Side Request Forgery (SSRF)\",\"MEDIUM CONFIDENCE\",\"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.injection.tainted-url-host.tainted-url-host\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP.\"},\"help\":{\"markdown\":\"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.ldap-bind-without-password.ldap-bind-without-password)\\n - [https://www.php.net/manual/en/function.ldap-bind.php](https://www.php.net/manual/en/function.ldap-bind.php)\\n\",\"text\":\"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.ldap-bind-without-password.ldap-bind-without-password\",\"id\":\"php.lang.security.ldap-bind-without-password.ldap-bind-without-password\",\"name\":\"php.lang.security.ldap-bind-without-password.ldap-bind-without-password\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-287: Improper Authentication\",\"LOW CONFIDENCE\",\"OWASP-A02:2017 - Broken Authentication\",\"OWASP-A07:2021 - Identification and Authentication Failures\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.ldap-bind-without-password.ldap-bind-without-password\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code.\"},\"help\":{\"markdown\":\"Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval)\\n - [https://www.php.net/manual/en/function.mb-ereg-replace.php](https://www.php.net/manual/en/function.mb-ereg-replace.php)\\n - [https://www.php.net/manual/en/function.mb-regex-set-options.php](https://www.php.net/manual/en/function.mb-regex-set-options.php)\\n\",\"text\":\"Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval\",\"id\":\"php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval\",\"name\":\"php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\",\"LOW CONFIDENCE\",\"OWASP-A03:2021 - Injection\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.\"},\"help\":{\"markdown\":\"Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.mcrypt-use.mcrypt-use)\\n - [https://www.php.net/manual/en/intro.mcrypt.php](https://www.php.net/manual/en/intro.mcrypt.php)\\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php)\\n\",\"text\":\"Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.mcrypt-use.mcrypt-use\",\"id\":\"php.lang.security.mcrypt-use.mcrypt-use\",\"name\":\"php.lang.security.mcrypt-use.mcrypt-use\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-676: Use of Potentially Dangerous Function\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.mcrypt-use.mcrypt-use\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues\"},\"help\":{\"markdown\":\"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality)\\n - [https://www.php.net/manual/en/types.comparisons.php](https://www.php.net/manual/en/types.comparisons.php)\\n - [https://web.archive.org/web/20210430183236/https://www.whitehatsec.com/blog/magic-hashes/](https://web.archive.org/web/20210430183236/https://www.whitehatsec.com/blog/magic-hashes/)\\n\",\"text\":\"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality\",\"id\":\"php.lang.security.md5-loose-equality.md5-loose-equality\",\"name\":\"php.lang.security.md5-loose-equality.md5-loose-equality\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-697: Incorrect Comparison\",\"LOW CONFIDENCE\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.md5-loose-equality.md5-loose-equality\"}},{\"defaultConfiguration\":{\"level\":\"warning\"},\"fullDescription\":{\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`.\"},\"help\":{\"markdown\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.md5-used-as-password.md5-used-as-password)\\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\\n - [https://www.php.net/password_hash](https://www.php.net/password_hash)\\n\",\"text\":\"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.md5-used-as-password.md5-used-as-password\",\"id\":\"php.lang.security.md5-used-as-password.md5-used-as-password\",\"name\":\"php.lang.security.md5-used-as-password.md5-used-as-password\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\",\"MEDIUM CONFIDENCE\",\"OWASP-A02:2021 - Cryptographic Failures\",\"OWASP-A03:2017 - Sensitive Data Exposure\",\"security\"]},\"shortDescription\":{\"text\":\"Semgrep Finding: php.lang.security.md5-used-as-password.md5-used-as-password\"}},{\"defaultConfiguration\":{\"level\":\"error\"},\"fullDescription\":{\"text\":\"Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data.\"},\"help\":{\"markdown\":\"Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data.\\n\\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at \u003ca href=\u0027https://sg.run/pro\u0027\u003esg.run/pro\u003c/a\u003e\\n\\n\u003cb\u003eReferences:\u003c/b\u003e\\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv)\\n - [https://csrc.nist.gov/publications/detail/sp/800-38a/final](https://csrc.nist.gov/publications/detail/sp/800-38a/final)\\n\",\"text\":\"Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data.\\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\"},\"helpUri\":\"https://semgrep.dev/r/php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv\",\"id\":\"php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv\",\"name\":\"php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv\",\"properties\":{\"precision\":\"very-high\",\"tags\":[\"CWE-329: Generation of Pred